The vulnerability has been found in Qualcomm Snapdragon chipset's Digital Signal Processor (DSP)
The vulnerability gives hackers access to confidential data on the device, including calls, contacts, location, photos, real-time microphone data
Qualcomm Snapdragon chipsets seem to have a vulnerability, according to Security researches at Check Point. If true, this will put over 40 percent of global Android phones at risk of spyware that will pose as an application on smartphones that ship with Qualcomm chipsets. The vulnerability has been found in Snapdragon's digital signal processor (DSP) and could open up the possibility of data theft, spying, and can potentially even lead to bricking of the devices. The report says that hackers would require users to install an application that, in turn, will give them access to most of the confidential data on the device, including calls, contacts, location, photos, real-time microphone data.
The data, which is accessed by hackers without the user's knowledge, can be used for extortion; the bricking of the phone may happen in case the hacker performs a DDoS attack. Qualcomm has acknowledged the vulnerabilities, informed Google, Samsung, and other brands about the same, and started working on patches. However, given the slow rollout of Android updates, it may be a while before every phone receives the required patches. Yaniv Balmas, head of cyber research at Check Point, said, "Although Qualcomm has fixed the issue, it's sadly not the end of the story. If such vulnerabilities are found and used by malicious actors, there will be tens of millions of mobile phone users with almost no way to protect themselves for a very long time."
As the vulnerability is located in the chipset's DSP, which is maintained as 'black boxes' by Qualcomm, it could be hard for vendors to understand their depth and design and later work on the fix. Qualcomm's spokesperson talking to Forbes, said, "Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Computer DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store."
The only safety measure, for now, is by not visiting shoddy websites or downloading/ installing unverified content until a fix is issued. Similarly, do not use public Wi-Fi networks if you use a Qualcomm-powered Android phone