Millions of Android phones at risk due to ‘Achilles’ flaw in Qualcomm chips

 

When shopping for a new smartphone, chances are you’ll focus on price, design, and features first, and probably not on the silicon that powers it. However, researchers have found that Qualcomm’s Snapdragon chip, one of the most widely used in Android phones, contains hundreds of bits of vulnerable code that exposes millions of Android users.

To back it up a bit, Qualcomm is a major chip supplier for several well-known tech companies. In 2019, its Snapdragon processor series could be found at almost 40% of all Android smartphones, including top flagship phones from Google, Samsung, Xiaomi, LG and OnePlus. Researchers at Check Point, a cybersecurity firm, found that the digital signal processor (DSP) on Qualcomm Snapdragon chips had overtaken 400 pieces of vulnerable code. The vulnerabilities, known as “Achilles”, can impact phones in three main ways.

Attackers would only have to convince someone to install a seemingly benign application that bypasses the usual security measures. Once this is done, an attacker could turn the affected phone into a spy tool. They could access photos, videos, GPS and location data from a phone. Hackers could also record calls and activate the phone’s microphones without the owner ever knowing. An attacker could also choose to render the smartphone completely unusable by locking down all data stored on it in what the researchers described as a “targeted denial of service attack.” Finally, bad actors could also exploit vulnerabilities to hide malware in a way that is unknown to the victim and irremovable.

One of the reasons that so many vulnerabilities have been discovered is that DSP is sort of a “black box”. It’s hard for anyone other than the DSP manufacturer to examine what makes them work. TThe hat could be considered a good thing as it makes it a tough nut to crack. Conversely, this also means that security researchers cannot test them easily, which means that they are likely ripe for several unknown security vulnerabilities. The other aspect is that the DSP enables a lot of innovative features that we would expect on smartphones. This includes things like fast charging and various multimedia features like video, HD capture, and advanced RA. This makes DSP a super efficient and economical component, but potentially opens up more avenues for hackers to control devices.

G / O Media can get a commission

Check Point said it disclosed its findings to Qualcomm, government officials and affected vendors. However, the company has said it will not publicly release details of the Achilles fault, as millions of devices may remain at risk. While Qualcomm has since fixed the problem, that doesn’t mean your Android phone is automatically secure. It is up to the phone makers to deliver the relevant security fixes to their customers, which can take some time.

In a statement to CNET, Qualcomm claims to have “worked diligently to validate the problem and make appropriate mitigation measures available” to smartphone makers. And although the company has said it has found no evidence of Achilles’ vulnerability being exploited in the wild, it has advised Android users to update their phones as patches are released. available and install only verified apps from official app stores.