A new vulnerability has been discovered inside Qualcomm-produced phone chips, which can be exploited to gain access to data on affected devices allowing an attacker to dig through the victim’s phone calls and text messages. The bug was discovered and reported by Check Point Research, which states that the vulnerability is exploitable on 30 percent of smartphones currently active across the globe.
According to Check Point Research, the bug currently affects devices from almost all Android smartphone manufacturers including Samsung, Google, Xiaomi, LG and more. The researchers state that the vulnerable chips are currently used inside of 40 percent of the global phone population, but only 30 percent are equipped with a proprietary interface, the Qualcomm MSM Interface (QMI), necessary for attacks to be conducted.
The mobile station modem (MSM) is the part affected by the bug that is responsible for providing capabilities to a majority of the important components within the phone.
In theory, an attack would require access to the operating system of a targeted device via a malicious trojanized app or some other method. After the attacker gains access they can inject malicious code into the modem to reveal sensitive information.
According to the report, an attack of this type would hijack a phone’s QMI (a protocol that governs communication between the different software components within the MSM). In simple terms, such an attack would allow hackers to access text messages and the call history of the victim, while at the same time also provide them with the ability to listen in on a user’s calls. Some cases might be even worse, as it would provide them with access to the device’s SIM card.
A patch for this vulnerability will take some time to roll out Qualcomm will first start issuing an update for the same after which phone makers building on the fix would roll out their own fixes for the vulnerability.
According to a report by ARS Technica quoting a Qualcomm spokesperson stated, “Qualcomm says it has notified all Android vendors. We do not know who or who did not patch.”