Qualcomm’s digital signal processor (DSP) chip is found with the vulnerability. The DSP runs on more than 40% of global Android smartphones. To exploit the vulnerability, a malicious actor simply needs to convince their target to install a simple benign application. The issue affects smartphones at risk of being taken over and used to spy on and track their users.
“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” told the spokesperson of Qualcomm to TechGig.
The chipmaker has acknowledged the vulnerabilities and codenamed them as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209. Yaniv Balmas, head of cyber research at Check Point said, “Although Qualcomm has fixed the issue, it’s sadly not the end of the story. Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data. Our research shows the complex ecosystem in the mobile world. With a long supply chain integrated into each and every phone, it is not trivial to find deeply hidden issues in mobile phones, but it’s also not trivial to fix them.”
The number of active Android smartphones in the world are 2.5 billion. Qualcomm vulnerabilities have affected over 40% of the current Android smartphones, making the current situation even worse. According to the Check Point report, the hackers need the users of these devices to install a small application to gain access to the confidential information. The vulnerability is capable of accessing information such as calls, contracts, photos, real-time microphone data, and location.
Qualcomm has already notified its vendors to understand the complexity, review the design and work on a fix. A botched up attempt can lead make the chip more vulnerable to potential risks. While Qualcomm is working on a fix, there is no clarity on how it is plantain to release the patch.