Security researches warn over one billion Android phones are at risk of becoming a spying tool for hackers.
The team found 400 vulnerabilities in Qualcomm’s Snapdragon chips, which are staples in the smartphones.
The flaws, collectively called ‘Achilles,’ lets cybercriminals access photos, videos, location data and other sensitive details on the handset.
First uncovered by the firm Check Point, experts say users only need to install what seems like a benign app, but is actual riddled with malware that lets hackers launch their attack.
Yaniv Balmas, head of cyber research at Check Point, said: ‘You can be spied on. You can lose all your data.’
‘If such vulnerabilities are found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time.’
Check Point has shared its findings with Qualcomm and affected smartphone vendors, but has not posted the vulnerabilities to the public so as not to provide any opportunities to hackers.
Snapdragon system-on-a-chip products can be found on leading phone products by Google, Samsung, Xiaomi, LG, and OnePlus.
However, iPhone users are safe from Achilles, as Apple provides its own processors.
Qualcomm said it is addressing the vulnerabilities; issuing a new compiler and a new software development kit. But it is up to phone vendors to distribute patches for each model phone carrying the affected processor.
‘For vendors, it means they will need to recompile each and every DSP application they use, test them, and fix any issues [that] may occur,’ said Balmas. ‘Then they need to ship these fixes to all devices in the market.’
Snapdragon chips are used in a range of smartphones, wearables, automobile systems and other devices.
Electronic developers have long welcomed the technology for its speed and performance abilities, power capabilities, 5G support, graphics handling and embedded fingerprint reading capacity.
However, security experts have closely watched these digital signal processors (DSP) due to possible flaws because technical specs are usually closely guarded by manufacturers.
‘While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features, they do come with a cost,’ researchers from Check Point state in a report posted online.
‘These chips introduce new attack surfaces and weak points to these mobile devices.’
‘DSP chips are much more vulnerable to risks as they are being managed as ‘Black Boxes’ since it can be very complex for anyone other than their manufacturer to review their design, functionality or code.’
‘Our research managed to break these limits and we were able to have a very close look at the chip’s internal design and implementation in a relatively convenient way,’ Balmas said.
‘Since such research is very rare, it can explain why we found so many vulnerable code sections.’
Qualcomm said it has no evidence the vulnerabilities are ‘currently being exploited,’ but urged customers ‘to update their devices as patches become available and to only install applications from trusted locations, such as the Google Play Store.’
END
Be the first to comment