Check Point Research (CPR) security researchers have discovered a significant security vulnerability in a Qualcomm chip found inside hundreds of millions of Android handsets. The mobile station modem (MSM) chip is present in nearly 40% of all the world’s phones, CPR explained. Hackers aware of the vulnerability could have abused it to “inject malicious and invisible code” into phones, which would have allowed them to spy on users. Successful attacks would have allowed hackers to read SMS messages and listen to phone conversations.
The MSM chip powers various phones from well-known Android vendors, including Google, Samsung, LG, Xiaomi, and OnePlus. It plays a role in cellular communication, including 5G connectivity and other advanced features like high definition recording.
The security issue that CPR found would have involved a hacker using Android to target the MSM chip. This would have given the attackers access to the call history and SMS messages and allow them to listen in on phone conversations and even unlock a device’s SIM card.
The security researchers also say that the hackers would have been able to hide their activities within the modem chips. This would have made the attack invisible to Android and security protections built into the operating system. “In other words, if we assume a phone is infected with a malicious application, the application can then use security flaw to ‘hide’ a large part of its activities ‘underneath’ the OS in the modem chip itself,” the researchers said.
It’s unclear whether the vulnerability was exploited in the wild, but the Check Point Research findings seem to indicate that it would be nearly impossible to detect active threats.
CPR also detailed the timeline of events. The researchers discovered the vulnerability in mid-October 2020, with Qualcomm confirming the issue (CVE-2020-11292) and classifying it as a “high rated vulnerability” on October 15th, a week after CPR notified the company.
Qualcomm fixed the vulnerability in December, several months before it was disclosed to the public. “Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end-users to update their devices as patches become available,” a Qualcomm spokesperson told Tom’s Guide.
It’s unclear whether Google rolled out the patch for the CVE-2020-11292 vulnerability, as it’s not mentioned in any of the recent Android security updates. But a Qualcomm representative told the same blog that the fix would be included in the June Android security bulletin.
Whether Google rolled out the patch or plans to do it, not all Android devices that might be impacted will get the updates at the same time. Attackers aware of the issue might still attempt to exploit it.
Android users should always ensure that they’ve installed the latest Android versions and the latest Android security patches on their devices. CPR advises users to install apps only from trusted app stores to reduce the risk of installing malicious software that might attempt to steal data and exploit vulnerabilities.