Cybersecurity researchers have disclosed a new security vulnerability in Qualcomm's mobile station modems (MSM) that could potentially allow an attacker to leverage the underlying Android operating system to slip malicious code into mobile phones, undetected.
"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations," researchers from Israeli security firm Check Point said in an analysis published today.
The heap overflow vulnerability, tracked as CVE-2020-11292, resides in the QMI voice service API exposed by the modem to the high level operating system, and could be exploited by a malicious app to conceal its activities "underneath" the OS in the modem chip itself, thus making it invisible to the security protections built into the device.
Designed since the 1990s, Qualcomm MSM chips allows mobile phones to connect to cellular networks and allow Android to take to the chip's processor via the Qualcomm MSM Interface (QMI), a proprietary protocol that enables the communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners.
While 40% of all smartphones today, including those from Google, Samsung, LG, Xiaomi, and One Plus, use a Qualcomm MSM chip, an estimated 30% of the devices come with QMI in them, according to research from Counterpoint.
"An attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user's call history and SMS, as well as the ability to listen to the device user's conversations," the researchers said. "A hacker can also exploit the vulnerability to unlock the device's SIM, thereby overcoming the limitations imposed by service providers on it."
Check Point said it alerted Qualcomm of the issue on Oct. 8, 2020, following which the chipmaker notified relevant mobile vendors.
"Providing technologies that support robust security and privacy is a priority for Qualcomm," the company told The Hacker News via email. "Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available." The company also said it intends to include CVE-2020-11292 in the public Android bulletin for June.
This is not the first time critical flaws have been found in Qualcomm chips. In August 2020, Check Point researchers disclosed more than 400 security issues — collectively called "Achilles" — in its digital signal processing chip, enabling an adversary to turn the phone into a "perfect spying tool, without any user interaction required."
"Cellular modem chips are often considered the crown jewels for cyber attackers, especially the chips manufactured by Qualcomm," said Yaniv Balmas, head of cyber research at Check Point. "An attack on Qualcomm modem chips has the potential to negatively affect hundreds of millions of mobile phones across the globe."
Update: Samsung has issued a statement on the vulnerability, urging users to update their devices as soon as patches become available.
"Samsung Android devices with Qualcomm chipset are affected by the vulnerability disclosed by Check Point, and Samsung has been releasing patches for affected select Samsung devices since January of 2021," the company said. "While a number of Samsung devices have already been patched starting in January of 2021, most Samsung devices with an Android Security Patch Level of May 1, 2021 or later, will be considered protected from the disclosed vulnerability."