A billion or more Android devices are vulnerable to hacks that could turn them into spy tools by using more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.
The vulnerabilities could be used when a target downloads a video or other content provided by the chip. Targets can also be attacked by installing malicious apps that do not require any access rights at all.
From there, attackers can monitor locations and listen to nearby audio in real time and filter out photos and videos. Explosions also make it possible for the phone to not respond at all. Infections can be hidden from the operating system in a way that makes disinfection difficult.
Snapdragon is what is known as a DSP, as digital signal processing, chip. This kind of system on a chip is actually a whole computer on one chip. Multiple hardware and software components tackle a variety of tasks, including loading and video, audio, augmented reality and other multimedia features. Phone makers can also use DSPs to run wide apps that enable custom features.
New attack surface
“While DSP chips provide a relatively economical solution that allows mobile phones to provide more functionality to end users and enable innovative features – they do come at a cost,” security company researchers Check Point wrote in a brief report on the vulnerabilities they discovered . “These chips introduce new attack surface and weaknesses to these mobile devices. DSP chips are much more vulnerable to risks because they are managed as ‘Black Boxes’, as they can be very complex for anyone other than their manufacturer to control their design, functionality or code. “
Qualcomm has released a fix for the flaws, but so far it has not been included in the Android OS or in any Android device using Snapdragon, Check Point said. When I asked when Google might add the Qualcomm patches, a company spokesman said to check with Qualcomm. The chipmaker did not respond to a request for comment.
Check Point keeps technical details about the vulnerabilities and how they can be exploited until fixes make their way into end-user devices. Check Point has named the vulnerabilities Achilles.
In a statement, Qualcomm officials said: “Regarding the vulnerability of Qualcomm Compute DSP, as reported by Check Point, we have been working hard to validate the issue and make appropriate mitigations available to OEMs. We have no evidence that it is currently being exploited. We encourage end users to update their devices when patches are available and only install applications from trusted locations such as the Google Play Store. “
Check Point said Snapdragon is incorporated into about 40 percent of phones worldwide. With an estimated 3 billion Android devices, that amounts to more than a billion phones. In the U.S. market, Snapdragons are embedded in about 90 percent of devices.
There are not many useful tutorials to provide users to protect themselves against these explosions. Downloading apps only from Play can help, but Google’s track record of vetting apps shows that advice has an efficiency. There is also no way to effectively identify boobytrapped multimedia content.