More than a billion Android devices are facing hacks with the ability to turn them into espionage tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chips.
These vulnerabilities can be exploited when the target downloads a video or other content that requires rendering by the chip. Targets can also be hacked if malicious apps are installed even though they don’t require any permissions.
From there, hackers can monitor the location and listen to sounds around the device in real time, and access photos and videos on the device. The vulnerabilities can also cause the phone to completely fail to respond to the user’s request. It’s worth noting that all signs of infection are hidden from the system, making it difficult to fix.
Snapdragon is a DSP chip, or a digital signal processor. This SoC is basically a computer on a single chip. Many hardware and software components handle a variety of tasks, including charging, video, audio, AR, and other multimedia functions. Phone manufacturers also use DSP chips to run specialized applications that cater to their proprietary features.
New offensive fronts
“While DSP chips offer a relatively economical solution, allowing mobile phones to provide end users with more functionality and support innovative new features – they still have limitations.“- researchers from security firm Check Point wrote in a brief report of the vulnerabilities they discovered.”These chips open up a new front, with new vulnerabilities, on mobile devices. DSP chips are much more vulnerable to attack, as they are managed as ‘Black Boxes’ because of their very high complexity, so that no one other than the manufacturer can consider design, functionality or functionality. their code“.
The researchers named this vulnerability Achilles
Qualcomm has released a patch for the aforementioned vulnerabilities, but up to now, the patch has not yet been integrated into the Android operating system or any Android device using a Snapdragon chip. When asked when they will include a Qualcomm patch in the operating system, a Google representative said they need to check with Qualcomm first to give a specific response, while Qualcomm has not responded to the email when asked. same sentence.
Check Point is currently holding the technical details regarding the vulnerabilities, and how they can be exploited, until the patches are delivered to the end-user device. Check Point calls these vulnerabilities Achilles.
In a press release, Qualcomm executives said: “Concerning the Qualcomm Compute DSP vulnerability discovered by Check Point, we immediately worked to validate the issue and take appropriate restrictive measures to OEMs. We don’t have any evidence that it is currently being exploited. We encourage end users to update their devices as soon as patches are released, and only install apps from trusted sources such as the Google Play Store.”
Check Point says Snapdragon is present in about 40% of phones worldwide. It is estimated that there are 3 billion Android devices in the world, or more than 1 billion phones are affected. In the US market, Snapdragon chips are used for about 90% of devices.
There are not many useful instructions provided to users to help them protect themselves against other vulnerabilities. Only downloading apps from the Play Store is a solution, but Google used to have a lot of “gags” regarding letting malware-containing apps get around censorship, so the effectiveness of this advice is also limited. Come on. In addition, there is no effective method to correctly identify malicious media content.