More than one billion Android phones may be compromised as researchers found 400 vulnerabilities in Qualcomm's Snapdragon chips, which are standard in smartphones and other gadgets.
Snapdragon system-on-a-chip products can be found on leading phone products by Google, Samsung, Xiaomi, LG, and OnePlus. Aside from smartphones, Qualcomm chips are also found in automobile systems, wearables, and other devices.
Meanwhile, iPhones are relatively safe from the flaws as Apple creates its processors.
According to a report in Daily Mail, the flaws are called "Achilles," which allows hackers to access videos, photos, location data, and other sensitive details on the device.
The flaws were uncovered by the security firm Check Point. In a blog posted on its website, users only need to install a seemingly safe app, which would let hackers launch their attack as it is strained with malware.
Check pointe also write that more than 400 vulnerable codes were found in the DSP chip tested, which could have the following impact on affected phones:
- Affected phones can be turned into spying tools without the need for user interaction. Attackers can infiltrate sensitive data like photos, videos, call-recording, GPS, real-time microphone data, and location data from the phones.
- Users may be denied of service as attackers may render the mobile phone unresponsive and all the stored information permanently unavailable.
- Hide malware and other malicious codes and fix them on the device.
Check Point head of cyber research Yaniv Balmas warned that users can lose all their data as they "can be spied on."
Balmas said that if these vulnerabilities are used by cyberattackers, it may spread out to millions of mobile phone users who cannot protect themselves for a long time.
Qualcomm's response to the security report
Check Point has already contacted Qualcomm and affected smartphone vendors to share its findings. It does not intend to post the flaws in public to avoid hackers from taking advantage of them.
The firm has also revealed the full research details to relevant government officials as well as to mobile vendors to help them make their handsets safer.
In response to the report, Qualcomm vowed to address the vulnerabilities. According to Ars Technica, it has issued a fix for the flaws, including a new compiler and a new software development kit. However, Check Point said it has not yet incorporated the fix into affected Android OS or any Android device that uses Snapdragon.
Balmas said vendors will be required to recompile each digital signal processor (DSP) application they use. They need to test them and fix any issues, then "ship these fixes to all devices" currently available in the market.
However, when Ars Technica asked Google when it will add the patches, a spokesman referred to the media outlet to Qualcomm, which did not respond to the email inquiry sent.
While electronic developers have long welcomed the DSP technology for its speed, performance, 5G support, power capabilities, graphics support, and embedded fingerprint reading ability, security experts are concerned due to possible flaws. Check Point researchers wrote on their report that DSP is "a relatively economical solution, but it comes with a cost.
"Our research managed to break these limits and we were able to have a very close look at the chip's internal design and implementation," Balmas said.
While Qualcomm said there is no reported exploitation of such vulnerabilities, it advised customers to update their devices only with patches available in trusted locations like the Google Play Store.