- DSPs contain reported more than 400 vulnerabilities in Qualcomm Snapdragon chips.
- Attackers could use these for spies, malware, or just bricking devices.
- Fixes are underway and there are no known attacks, but it is still ongoing.
If you are using an Android phone with a Snapdragon chip inside, there is a good chance that it is susceptible to a host of potentially serious security flaws. Check Point security researchers say they have discovered more than 400 cluster vulnerabilities, nicknamed “Achilles,” in Qualcomm’s Snapdragon chips digital signal processors (DSPs).
The team keeps the details a secret to prevent vulnerable use of the vulnerability before there is a fix. However, the consequences can be serious. Check Point says attackers can record silent conversations, steal data, render devices unusable, and even install completely silent, non-removable malware.
It is not clear how easy it is to exploit the flaws as a result. However, the researchers used “fuzz test technologies” and other methods to identify defects in the DSPs, which tend to be from black boxes that are more difficult to study. Check Point noted that telemarketer could not simply repair this because the chipmaker (in this case Qualcomm) had to address the issues first.
See also: The best apps for antivirus and anti-malware for Android
Solutions are happily on the way. Qualcomm has acknowledged the flaws and shared details with brands while offering “appropriate mitigations” to brands, a spokesman said. MarketWatch. The representative also said that there was “no evidence” of active exploits, and that users could minimize their risk by getting patches as available and downloading apps from “trusted” outlets such as the Google Play Store.
The practical threat is relatively low until and unless there is an Achilles exploitation in the wild. Even there is an important reason to worry. Snapdragon chips accounted for an estimated 40% of the phones shipped in 2019 and are present in heavyweight devices such as Samsung, LG, and Xiaomi. That could potentially expose “hundreds of millions” of phones, according to Check Point chief investigator Yaniv Balmas, and fixing them could be difficult or impossible.
Qualcomm itself offers extensive support for Android devices, but that does not apply to the vendors themselves. As has become all too clear, Android vendors have historically been slow to deliver updates and can cut support much faster than Qualcomm. Although security patches are sometimes delivered earlier and outside of the usual support schemes, there may be millions of phones that are not getting fixes right now due to age or vendor update policies.
