When you’re on the hunt for a new smartphone, it’s likely that you’re focused on price, design, and features first — and probably not the silicon inside powering it. However, researchers have found that Qualcomm’s Snapdragon chip, one of the most widely used in Android phones, has hundreds of bits of vulnerable code that leaves millions of Android users at risk.
To back up a bit, Qualcomm is a major chip supplier to several well-known tech companies. In 2019, its Snapdragon series of processors could be found on nearly 40% of all Android smartphones, including high-profile flagship phones from Google, Samsung, Xiaomi, LG, and OnePlus. Researchers from Check Point, a cybersecurity firm, found the digital signal processor (DSP) in Qualcomm Snapdragon chips had over 400 pieces of vulnerable code. The vulnerabilities, altogether dubbed “Achilles,” can impact phones in three major ways.
[referenced url=”https://gizmodo.com.au/2020/08/this-devious-and-mostly-legal-ad-scam-is-bleeding-small-businesses-dry/” thumb=”https://gizmodo.com.au/wp-content/uploads/2020/08/07/geqcwmvwiwbaq6nbhpan-300×169.jpg” title=”This Devious (And Mostly Legal) Ad Scam Is Bleeding American Small Businesses Dry” excerpt=”For the past few months, a lot of folks — this reporter included — have watched their favourite local bookstores, pizza joints, and coffeeshops get systematically gutted by the economic tumult that came with the current pandemic. Back in April, academics predicted that this economic carnage would result in over…”]
Attackers would only have to convince someone to install a seemingly benign app that bypasses usual security measures. Once that’s done, an attacker could turn the affected phone into a spying tool. They’d be able to access a phone’s photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone’s microphones without the owner ever knowing. Alternatively, an attacker could choose to render the smartphone completely unusable by locking all the data stored on it in what researchers described as a “targeted denial-of-service attack.” Lastly, bad actors could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim, and unremovable.
Part of why so many vulnerabilities were found is that the DSP is a sort of “black box.” It’s difficult for anyone other than the manufacturer of the DSP to review what makes them work. That could be seen as a good thing as it makes them a tough nut to crack. Conversely, it also means security researchers can’t easily test them, meaning they are likely ripe for several unknown security flaws. The other side of it is that the DSP enables many of the innovative features we’ve come to expect on smartphones. That includes things like quick charging, and various multimedia features like video, HD capture, and advanced AR. It makes the DSP a super-efficient and economical component but potentially opens more pathways for hackers to control devices.
Check Point says it has disclosed its findings to Qualcomm, government officials, and the affected vendors. However, the firm said it would not publicly publish the particulars of the Achilles flaw as possibly millions of devices remain at risk. While Qualcomm has reportedly since fixed the issue, that doesn’t mean your Android phone is automatically safe. It’s up to phone makers to push the relevant security patches to their customer base, which could take some time.
In a statement to CNET, Qualcomm says it has “worked diligently to validate the issue and make appropriate mitigations available” to smartphone makers. And while the company said it hadn’t found any evidence of the Achilles vulnerability exploited in the wild, it advised Android users to update their phones as patches are made available and only install verified apps from official app stores.
We’ve reached out to Qualcomm and major phone makers for comment and will update when we hear back. And if you know anything about the vulnerability or how it’s being handled you can drop me an email at vsong@gizmodo.com or reach out anonymously via SecureDrop.