And overwhelming number of Android smartphones rely on Qualcomm Snapdragon processors. While there are other SoC vendors out like Huawei and Samsung, Qualcomm alone captured roughly 40 percent of the overall smartphone market during 2019.
With that wide penetration comes greater scrutiny when it comes to any security exploits that could affect Snapdragon chips. To that end, the researchers at Check Point have discovered over 400 vulnerable pieces of code within the Digital Signal Processor (DSP) chips found within Snapdragon SoCs used in hundreds of millions of Android devices. The 400 pieces of flawed code have been broken down into six separate security flaws, which are represented below by their CVE listings:
According to Check Point, these six exploits, collectively known as Achilles, can turn your smartphone into "a perfect spying tool". Some of the possible actions that can be taken including stealing photos, videos, GPS/location data and even real-time microphone data. Targeted denial-of-service attacks could be performed, and malware/malicious code could be discretely hidden on the device, after-which it wouldn't be possible to remove it.
As is the case with all of the exploits that Check Points discovers, it reached out to Qualcomm before going public. However, there's both good news and bad news when it comes to a resolution for these six exploits. The good news is that Qualcomm has patched all six flaws.
The bad news is that that it's up to each individual smartphone vendor to send out specific patches for every single smartphone that they have made using an affected Snapdragon SoC. Given that some Android OEMs are lax in providing simple security updates, getting them to push out critical firmware updates for each one of their devices might be a bridge too far. With that being said, Qualcomm has already issued the following statement regarding Check Point's findings:
Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.
We can only hope that smartphones OEMs using Snapdragon SoCs release these patches as soon as possible, otherwise there could be some dire consequences for inaction. "Hundreds of millions of phones are exposed to this security risk," said Yaniv Balmas, Cyber Research chief at Check Point. "You can be spied on. You can lose all your data. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time."