According to some security researchers, a new bug in Qualcomm chips could potentially affect about 30% of all Android smartphones. The vulnerability lies in the data transmission service of the 5G modem. It allows hackers to remotely attack a mobile device, inject malicious code into a smartphone modem and execute such code.
According to Check Point Research, bug CVE-2020-11292 is present in Qualcomm Mobile Station Modem (MSM) Interface, also known as QMI. MSM is systems-on-a-chip developed by the company and QMI is a proprietary protocol that allows the software components of the modem and other subsystems to communicate with each other. QMI is used in about 30% of smartphones worldwide.
Hackers can remotely attack a mobile device using a special Android application with a Trojan horse. The victim will need to install such an application. Once launched, it can use the specified vulnerability to “hide” in the modem chip. Thus, the malicious code will become invisible from the point of view of all security measures on modern smartphones.
Researchers have not disclosed details to prevent hackers from exploiting the vulnerability. In the course of the research, it was possible to attack the chip from inside the smartphone itself. At the same time, it turned out that the vulnerability using a modem allows you to “unlock” a phone blocked by a telecom operator.
It is also reported that Qualcomm is aware of this issue and has already released patches with fixes. But, such updates are not very quickly distributed to the end devices of users. This is because smartphone manufacturers such as Samsung, Xiaomi, OnePlus and others have to implement a fix in their firmware related to the release of security updates. As a rule, manufacturers try to release security updates regularly, but in some cases they may come out every few months. In addition, for older devices, such updates may not be released at all. Qualcomm says it has notified Android manufacturers of the issue. However, at the moment there is no information about which vendors have already implemented the patch and released the corresponding firmware update for the models available on the market. Thus, many smartphones can still be vulnerable.