Qualcomm chips in hundreds of millions of Android phones have a critical security flaw

Why it matters: There are over 3 billion smartphone users around the world and almost a third of those devices use Qualcomm modems that have a large number of vulnerabilities, allowing attackers to unlock your SIM and listen in on your conversations, among other things. Given the way the vast Android ecosystem works, the fix will take a while to reach all affected devices.

If the BLURtooth vulnerability didn't look particularly worrisome, now we have a new security problem that creates a potential backdoor into a third of all mobile phones in the world, including high-end Android phones made by Samsung, LG, Google, OnePlus, and Xiaomi.

According to a report from security firm Check Point Research, it found no less than 400 vulnerabilities on Qualcomm's Snapdragon Digital Signal Processor (DSP) subsystem last year that were eventually patched in November 2020. More recently, however, researchers stumbled upon yet another vulnerability while taking a close look at Qualcomm's Mobile Station Modems.

The Mobile Station Modem is a system-on-a chip that provides all the processing, device management, and wireless networking capabilities on many modern phones. The first of its kind was designed by Qualcomm in 1990, and today it is found on around 40 percent of all smartphones. Check Point researchers looked at how that can be used as a potential attack vector for malicious actors. More specifically, they looked at Android's ability to talk with the MSM's various components and peripherals through a proprietary communication protocol called the Qualcomm MSM Interface (QMI), something that is possible on 30 percent of all smartphones in the world.

The issue they found was of the heap overflow variety, and can be exploited by a malicious actor using an app installed on the phone, either sideloaded or from an alternative app store. Check Point researchers used a process known as fuzzing on the MSM data service to see if they could find a way to inject malicious code inside Qualcomm's real-time OS (QuRT), which is responsible for managing the MSM and is designed to be inaccessible even on rooted Android devices.

The QMI voice service, one of many services exposed by the MSM to the Android operating system, can be used to take over the MSM and inject code in QuRT. The attacker then gets easy access to your SMS and call history, and can start listening in on your voice conversations. Furthermore, they can unlock the SIM using the same vulnerability and bypass all security measures put in place by both Google as well as phone manufacturers.

The good news is that Qualcomm has disclosed the existence of the bug to all affected customers and has already released a patch in December 2020. However, there is no information on which phones will receive the patch – only the promise that the vulnerability will be included in the public June Android Security Bulletin under CVE-2020-11292.

Given how quickly most Android phone manufacturers stop issuing security patches, it's likely that some lower end devices will remain unpatched, while flagships have a higher chance of receiving the fix in the coming months.

Either way, the vulnerability affects hundreds of millions of phones, including those equipped with the latest Qualcomm Snapdragon 5G-capable mobile platforms – the Snapdragon 888 and Snapdragon 870.