A billion or more Android devices are vulnerable to hacks that can turn them into spyware by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.
The vulnerabilities could be exploited when a target downloads a video or other content rendered by the chip. Targets can also be attacked by installing malicious apps that do not require any permissions at all.
From there, attackers can monitor locations and listen to nearby sounds in real time and filter photos and videos. Uses also make it possible to make the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfection difficult.
Snapdragon is what is known as a system on a chip that provides a variety of components, such as a CPU and a graphics processor. One of the features, known as digital signal processing, or DSP, handles a variety of tasks, including load capacity and video, audio, augmented reality and other multimedia features. Phone makers can also use DSPs to run dedicated apps that enable custom features.
“While DSP chips provide a relatively economical solution that enables mobile phones to provide end-users with more functionality and enable innovative features ̵
Qualcomm has released a fix for the flaws, but so far it has not been integrated into the Android OS or any Android device that uses Snapdragon, said Check Point. When I asked when Google could add the Qualcomm notes, a spokesman for the company said to check with Qualcomm. The chipmaker did not respond to a request for comment.
Check Point stores technical details about the vulnerabilities and how they can be exploited until corrections are made to end-user devices. Check Point has doubled the Achilles vulnerability. The more than 400 distinct bugs are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
In a statement, Qualcomm officials said: “Regarding the Qualcomm Compute DSP vulnerability revealed by Check Point, we have worked diligently to validate the issue and make appropriate restrictions available to OEMs. We have no evidence that it is currently being exploited. We encourage end users to update their devices when patches become available and to install only applications from trusted sites such as the Google Play Store. “
Check Point said that Snapdragon is included in about 40 percent of the phones worldwide. With an estimated 3 billion Android devices, it amounts to more than a billion phones. In the US market, Snapdragons are embedded in about 90 percent of the devices.
There is not very good guidance to give users to protect themselves against these exploits. Downloading apps only from Play can help, but Google’s more detailed information about knowing apps shows that advice has limited effectiveness. There is also no way to effectively identify booby-trapped multimedia content.
This story originally appeared on Ars Technica.
More great wired stories