A billion or more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm's Snapdragon chip, researchers reported this week.
The vulnerabilities could be exploited if a target downloads a video or other content that is rendered by the chip. Targets can also be attacked by installing malicious apps that do not require any permissions at all.
From there, attackers can monitor locations and listen to nearby audio in real time and exfiltrate photos and videos. Exploits also make it possible to make the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfection difficult.
Snapdragon is a so-called system on a chip that provides a large number of components such as a CPU and a graphics processor. One of the functions, known as digital signal processing or DSP, performs a wide variety of tasks including charging functions, as well as video, audio, augmented reality and other multimedia functions. Phone manufacturers can also use DSPs to run dedicated apps that enable custom functions.
"While DSP chips offer a relatively economical solution that enables cell phones to offer end users more functionality and innovative functionality, they come at a cost," researchers from security firm Check Point wrote in a brief report on the vulnerabilities discovered. “These chips bring new attack surfaces and weak points in these mobile devices. DSP chips are much more vulnerable to risk as they are managed as "black boxes" as it can be very complex for anyone other than the manufacturer to review their design, functionality, or code. "
Qualcomm has released an update for the bugs, but it has not yet been built into the Android operating system or any Android device using Snapdragon, according to Check Point. When I asked when Google could add the Qualcomm patches, a company spokesperson said to check with Qualcomm. The chip manufacturer did not respond to an email request.
Check Point withholds technical details about the vulnerability and its exploitation until fixes are available on end-user devices. Check Point named the vulnerabilities Achilles.
In a statement, Qualcomm employees said: “Regarding the vulnerability disclosed by Check Point relating to Qualcomm Compute DSP, we have worked carefully to validate the issue and provide appropriate remedial action to OEMs. We have no evidence that it is currently being exploited. We encourage end users to update their devices as patches become available and only install applications from trusted locations such as the Google Play Store. "
Snapdragon is found in about 40 percent of phones worldwide, according to Check Point. With an estimated 3 billion Android devices, that's more than a billion phones. Snapdragons are embedded in around 90 percent of devices in the US market.
There aren't many helpful guides to provide users with protection from these exploits. Downloading apps only from Play can be helpful. However, Google's track record of reviewing apps shows that advice has limited effectiveness. There is also no way to effectively identify booby-trapped multimedia content.