Bugs in Qualcomm chips expose millions of Android handsets

Attackers could use the bugs to listen to audio in a device's surroundings, monitor a user's location and exfiltrate sensitive information

Researchers at cyber security firm Check Point claim to have uncovered more than 400 flaws in Qualcomm ' s Snapdragon digital signal processor (DSP) chips that hackers could use to steal sensitive data from Android devices.

According to the researchers, these bugs impact nearly 40 per cent of the phones worldwide, meaning that hundreds of millions of Android handsets are at risk of being turned into spying tools.

The vulnerabilities can be exploited by tricking a user into downloading and installing malicious apps that require no permissions at all. Attacks can also be launched after a user downloads a video or similar content that is rendered by the DSP chip.

A successful attack would allow hackers to exfiltrate sensitive data, such as pictures and videos, listen to nearby audio in real time, monitor a user ' s location, and to make the handset completely unresponsive.

Designed as a system on a chip (SoC), a DSP chip contains the software and hardware to optimise a variety of phone features, such as the multimedia experience and quick-charging capabilities. These processors are often described as a complete computer in a single chip, and most modern handsets include at least one.

DSP chips offer a relatively economical solution for phone makers to provide features on their devices, but they also come with a cost: they introduce new weak points and attack surfaces.

The Check Point researchers reported their discoveries to Qualcomm, which acknowledged the existence of the bugs and also notified vendors about them. The company assigned the following CVEs to the vulnerabilities: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.

The company has patched the bugs, and encourages users to update their handsets as they become available for download.

"Providing technologies that support robust security and privacy is a priority for Qualcomm," Qualcomm spokesperson said.

"Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store."

According to Check Point, the patches have not yet been included in the Android OS, or Android devices using Snapdragon.

The firm said that it would not reveal the full technical details of the bugs until mobile vendors come up with a comprehensive solution to mitigate the risks. The company has notified relevant government officials as well as relevant mobile firms, 'to assist them in making their handsets safer.'

The researchers said they have not yet noticed any usage of these vulnerabilities in the wild.