A high severity security vulnerability found in Qualcomm’s Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) could enable attackers to access mobile phone users’ text messages, call history, and listen in on their conversations.
Qualcomm MSM is a series of 2G, 3G, 4G, and 5G capable system on chips (SoCs) used in roughly 40% of mobile phones by multiple vendors, including Samsung, Google, LG, OnePlus, and Xiaomi.
“If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones,” according to Check Point researchers who found the vulnerability tracked as CVE-2020-11292.
The security flaw could also enable attackers to unlock the subscriber identification module (SIM) used by mobile devices to store network authentication info and contact information securely.
Exploitable by malware to evade detection
To exploit CVE-2020-11292 and take control of the modem and dynamically patch it from the application processor, attackers have to abuse a heap overflow weakness in the Qualcomm MSM Interface (QMI) interface used by the company’s cellular processors to interface with the software stack.
Malicious apps could also use the vulnerability to hide their activity under cover of the modem chip itself, effectively making themselves invisible to security features used by Android to detect malicious activity.
“We ultimately proved a dangerous vulnerability did in fact exist in these chips, revealing how an attacker could use the Android OS itself to inject malicious code into mobile phones, undetected,” Yaniv Balmas, Check Point Head of Cyber Research, told BleepingComputer.
“Going forward, our research can hopefully open the door for other security researchers to assist Qualcomm and other vendors to create better and more secure chips, helping us foster better online protection and security for everyone.”
Check Point disclosed their findings to Qualcomm in October, who later confirmed their research, rated the security bug as a high severity vulnerability and notified the relevant vendors.
To protect themselves against malware exploiting this or similar security bugs, Check Point advises users to update their devices to the latest released OS versions that usually come with security updates.
Additionally, only installing apps from official app stores should greatly minimize the risk of accidentally installing malicious applications.
More technical details on the CVE-2020-11292 vulnerability are available in the report published by Check Point today.
Security updates issued to OEMs in December
After receiving Check Point’s report, Qualcomm developed security updates to address the CVE-2020-11292 security issue and made them available to all impacted vendors two months later, in December 2020.
“Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told BleepingComputer.
“We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices.
“Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end-users to update their devices as patches become available.”
Given that Qualcomm sent CVE-2020-11292 patches to OEMs last year, Android users with newer devices still receiving system and security updates should all be protected against any attempts to compromise their up-to-date devices.
Unfortunately, those who haven’t switched to a new device with support for newer Android releases in the last couple of years might not be so lucky.
Just to put things into perspective, roughly 19% of all Android devices are still running Android Pie 9.0 (released in August 2018) and over 9% Android 8.1 Oreo (released in December 2017), according to StatCounter data.
Last year, Qualcomm fixed more vulnerabilities affecting the Snapdragon chip Digital Signal Processor (DSP) chip that allow attackers to take control of smartphones without user interaction, spy on their users, and create unremovable malware capable of evading detection.
KrØØk, a security flaw that can be used to decrypt some WPA2-encrypted wireless network packets, was also fixed by Qualcomm in July 2020.
Another bug that could allow access to critical data and two flaws in the Snapdragon SoC WLAN firmware allowing over the air compromise of the modem and the Android kernel were patched one year earlier, in 2019.