If you’ve bought an Android phone at any point in the last few decades, there’s a good chance it’s powered by a Qualcomm chip. The company’s smartphone share has rarely fallen below 40% in recent years – and that figure includes iPhones running exclusively Apple processors. With that in mind, you should be alarmed by the latest research from Check Point, which shows that Qualcomm chips have built in more than 400 vulnerabilities.
The potential problem, called Achilles, arises in digital signal processing (DSP), which handles a lot of smartphone functionality, including charging, video and audio. Check Point’s research shows that these vulnerabilities could potentially be exploited by a target who downloads a malicious video or a dubious app.
When a user downloads a malicious file, their phone is at the mercy of a third party, with hackers gaining access to files and location data, or even turning the handset into a spyware program through the microphone for fun in to switch. Alternatively, additional malware could be smuggled in, if a malicious type could simply delete all the data. However you paint it, it is bad news if you are infected.
“While DSP chips provide a relatively economical solution that enables mobile phones to provide end-users with more functionality and enable innovative features, they do come at a cost,” Check Point wrote in its report. “These chips introduce new attack surface and weaknesses to these mobile devices. DSP chips are much more vulnerable to risks because they are managed as ‘Black Boxes’, as they can be very complex for anyone other than their manufacturer to control their design, functionality or code. “
After all this bad news, here’s a little good. In fact, there is no evidence that the problem is still being exploited ‘in the wild’, which is a relief. Second, Qualcomm repaired the error before one managed to take advantage. “We are working hard to validate the issue and make appropriate mitigations available to OEMs,” the company said in a statement, adding that users “should update their devices as patches become available.”
Have you seen the bad news in that section? That’s right: said patches are not still available. While Qualcomm has made the fix, it still needs to be added to the Android OS by Google or patched in software updates from each manufacturer. And while Check Point has not yet released any technical details about the vulnerability, it is still out there when a malicious third party invents it for themselves.
In the meantime, you should be extra careful when following links or downloading apps. Use the Google Play Store if you can – but even then you have to be careful, because Google’s app settings procedures have never been exactly watertight.
