Android smartphones running on a specific Qualcomm digital signal processor (DSP) chip are reported to have as many as 400 vulnerabilities.
These chips are found within Snapdragon system on a chips (SoCs), used in hundreds of millions of Android devices.
According to a report from security research firm Check Point, its researchers discovered that these vulnerabilities are also found in highend phones from Google, Samsung, LG, Xiaomi, OnePlus and more.
The research said that the chip manufacturer acknowledged the issues after being notified, and has also in turn notified the relevant device vendors regarding the vulnerabilities. It even assigned several CVE fixes to device vendors.
Check Point dubbed this Snapdragon chips' flaws are the "Achilles" of Android.
The 400 vulnerabilities found inside the Qualcomm DSP chips have been broken down into six separate security flaws, which are represented below by their CVE listings:
- CVE-2020-11201.
- CVE-2020-11202.
- CVE-2020-11206.
- CVE-2020-11207.
- CVE-2020-11208.
- CVE-2020-11209.
These can allow hackers to turn victims' phones into the "perfect spying tool", without any user interaction.
By exploiting the many vulnerabilities posed by the bugs, hackers can gain access to photos, videos, call-recording, real-time microphone data, GPS and location data, and much more. Furthermore, hackers may also be able to render target mobile phones to be constantly unresponsive, and literally make all the information stored inside those phones permanently unavailable.
This targeted denial-of-service attack can enable hackers to block the user from accessing photos, videos, contact details, and more.
And lastly, these vulnerabilities can also allow malware and other malicious code to completely hide their activities and become unremovable.
Check Point said that DSP chips are "breeding grounds" for vulnerabilities as they are being managed as "Black Boxes" due to the complex nature of these chips and their undefined architecture.
While Qualcomm fixed the issue, not everyone can benefit from it.
This is because mobile vendors have to rely on chip manufacturers to address the issue first. And even after a patch is made, it's still up to each individual smartphone vendor to send out specific patches.
What this means, Android OEMs simply lack in providing simple security updates, making Qualcomm to experience difficulties in pushing out critical firmware updates for all devices that are powered by its chips.
While the exact number of affected devices is unknown, Qualcomm's Snapdragon processors are already powering more than 40% of the Android smartphones available in the market. This leaves hundreds of millions of Android devices potentially at risk.
"Hundreds of millions of phones are exposed to this security risk," said Yaniv Balmas, the cyber research chief at Check Point. "You can be spied on. You can lose all your data. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time."
With that being said, Qualcomm has already issued the following statement regarding Check Point's findings: