Qualcomm modem flaw puts millions of Android users at risk

Vulnerability found in the chipmaker's Mobile Station Modem could allow hackers to listen to user conversations, although Qualcomm has downplayed the threat

The Android robot in front of lines of code

Checkpoint security researchers have found an exploit in Qualcomm's modem software that can be used to take control of Android devices.

The vulnerability resides in the chipmaker's Mobile Station Modem (MSM), which is a series of system on chips that reside on modems embedded in around 40% of smartphones on the market.

The researchers discovered a flaw that can be used to control the modem and patch it to a device's application processor. Through this, an attacker could inject malicious code into the modem from the operating system and theoretically gain access to a user's call and SMS history, while also providing a way to listen to live conversations.

Checkpoint has so far decided against publishing the full technical details of the exploit until mobile vendors have had the opportunity to release fixes, although the company said it is working with relevant government officials and mobile vendors to assist with this process.

MSM was designed for high-end smartphones and can be found in devices made by Samsung, Google, OnePlus, and Xiaomi. It supports features like 4G LTE and high definition recording and is said to be a popular target for cyber criminals.

Related Resource

Go further with mobile marketing

Easy steps to get your mobile strategy up-to-speed

Easy steps to get your mobile strategy up-to-speed - whitepaper from OracleDownload now

The Android OS communicates with the MSM chip's processor, via the Qualcomm MSM Interface (QMI), and connects to software components in the MSM and other peripheral systems within the device, such as cameras and fingerprint scanners. QMI is in around 30% of all mobiles in the world, according to Checkpoint, but little is known about its potential to be used as an attack vector.

Checkpoint said the discovered vulnerability is a potential leap in mobile chip research that it hopes will allow for a much easier inspection of the modem code by security researchers. The firm has disclosed its findings to Qualcomm, which also confirmed the issue as a "high-rated" vulnerability.

However, Qualcomm has since downplayed the significance of the vulnerability. In a statement to IT Pro, a company spokesperson said: “Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices.

"Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end-users to update their devices as patches become available," the spokesperson added, suggesting that many fixes will have already been delivered by manufacturers over the past sixth months.

There also does not appear to be any evidence that the flaw has been exploited in the wild.

To secure a device, Checkpoint recommends following mobile-specific best practices, such as updating to the latest version of Android, only downloading apps from official stores, enabling a 'remote wipe' capability and also installing a security service on your device. 

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Hackers breach a San Francisco water treatment plant
Security

Hackers breach a San Francisco water treatment plant

18 Jun 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021

Most Popular

Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021