Qualcomm chip flaws put 'millions' of Android devices at risk
Vulnerabilities leave device owners open to data theft and malware that can become unremovable
More than 400 vulnerabilities in code found in Snapdragon mobile CPUs manufactured by Qualcomm are putting Android device users at risk of malware and data exfiltration.
Following a deep dive on Qualcomm’s Snapdragon chips fitted into the majority of Android handsets, in a process dubbed ‘Achilles’, security researchers identified hundreds of flaws that can be readily exploited.
These flaws have been assigned with seven separate CVE tags and have been disclosed to Qualcomm, which has acknowledged them and notified the relevant device manufacturers, according to Check Point Research.
The bugs have been assigned CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
“Using our research methodologies and state-of-the-art fuzz testing technologies, we were able to overcome these issues – gaining us with a rare insight into the internals of the tested DSP chip,” Check Point Research said in a blog post. “This allowed us to effectively review the chip’s security controls and identify its weak points.
“We hope this research will help build a better and more secure environment for the DSP chip ecosystem, as well as provide the necessary knowledge and tools for the security community to preform regular security reviews for these chips in order to strengthen the security of mobile devices.”
Hackers can turn the phone into a spying tool without any user interaction, for example, exfiltrating information from the phone, including photos, videos, call-recording, real-time microphone data, GPS, location data, and other data points.
Attackers may also render the phone unresponsive, making all information stored on the device permanently unavailable. This includes all media such as photos and videos, as well as contact details. This, in effect, is equivalent to a targeted denial-of-service attack.
RELATED RESOURCE
Introducing VMDR: Vulnerability Management, Detection and Response
The all-in-one vulnerability management service
Cyber criminals can also exploit the vulnerable code to install malware or other malicious code in order to hide their activities. This malicious code can then become unremovable.
These chips are more vulnerable to risks, meanwhile, because they are managed as ‘black boxes’, according to the researchers, and it can be very complex for anybody other than the manufacturer to review their design or functionality.
Due to the ‘black box’ nature of the CPUs, it is also challenging for the mobile phone vendors themselves to fix these issues, as they will need to be addressed by the chip manufacturer, Qualcomm.
They decided not to publish the full technical details until vendors had comprehensive mitigations and fixes to these issues.
IT Pro approached Qualcomm for details on a plan to fix these vulnerabilities.
-
Google Cloud Next 2026: all the live updates as they happenLive blog ITPro is on the ground at Google Cloud Next 2026, to cover all the latest announcements from the day one keynote
-
AWS UK chief touts big gains with AI-powered codingNews Developers at AWS were able to speed up delivery of what would have traditionally been an extensive project
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
