Vulnerabilities were found in a Qualcomm Snapdragon chip that could let attackers obtain photos, videos, call recordings, and other data on Android phones, says Check Point Research (via Bleeping Computer).
In a new report, Check Point described how it discovered more than 400 security flaws in a Snapdragon Digital Signal Processor (DSP) chip made by Qualcomm Technologies. Devised as a system on a chip, a DSP contains hardware and software designed to optimize such phone features as charging abilities, multimedia experiences, and audio.
The vulnerable DSP chip “can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more,” write the researchers.
These DSP flaws could help hackers turn targeted phones into their own spying devices by obtaining such information as photos, videos, call recordings, real-time microphone data, and GPS and location data. Further, attackers could render a phone unresponsive and unusable by making all of this stored information unavailable to the owners. The malware implanted by exploiting the flaws could also be unremovable.
Despite the risk posted by these vulnerabilities, Check Point hasn’t yet spotted any real-world exploits.
“We have not been able to identify any usage of these exploits in the wild,” Check Point explains. “This of course doesn’t mean they haven’t been used, but that we haven’t spotted them in our telemetry.”
Check Point’s researchers said they wouldn’t be specifying the technical details of the hundreds of vulnerabilities discovered, because the flaws still pose a security risk for potentially millions of devices.
Qualcomm acknowledged the vulnerabilities and released warnings about the flaws. The issues remain security risks unless phone manufacturers also push updates out to customers.
“We worked diligently to validate the issue and make appropriate mitigations available” to phone makers, Qualcomm said in a statement, adding that the company didn’t have any evidence that the problem was now being exploited by hackers. “We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” Qualcomm said.