Check Point researchers have found six new vulnerabilities in Qualcomm-built Snapdragon chips that could potentially cause major privacy and security issues, reports indicate. The team behind the discovery says that those vulnerabilities don't just impact the lesser Android stock either. Instead, they link directly to a Snapdragon-specific Digital Signal Processor (DSP) chip. Those are chips used for digital audio and visual signal processing. So the problem could impact "nearly every Android phone on the planet."
That includes those in top-tier devices from the likes of "Google, Samsung, LG, Xiaomi, OnePlus, and more."
It doesn't appear to matter whether those are the worst or the best available handsets, although some OEMs do update more quickly and efficiently than others.
How can these Snapdragon vulnerabilities actually be used?
Now, Check Point researchers have reported the vulnerabilities and security concerns surrounding Snapdragon DSP chips to the company. It also reported to requisite government officials and smartphone OEMs.
Qualcomm has since designated the vulnerabilities as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209. And the researchers highlight several potential problems from those. Most damaging is that they could allow attackers almost undetectable device access. More specifically, that's as a spy tool that doesn't require user interaction.
Because the vulnerabilities are found in the DSP chips, that means data stolen centers on data managed by the component. That could include photos and videos. But real-time microphone data, location data, and call recording aren't out of the realm of possibility either.
Beyond that, the vulnerabilities could be used in an effective 'targetted denial-of-service attack'. Summarily, attackers could overwhelm a device unresponsive for end-users.
Finally, malware based on the vulnerabilities could completely hide their activities and be rendered 'un-removable'.
Qualcomm patched the issue, but only on its end
Check Point reports no evidence that attackers have exploited the vulnerabilities. Or at least not as of this writing. But despite Qualcomm patching the issue, problems could still arise.
The company released a statement indicating that ensuring 'robust security and privacy' is a top priority. So, Qualcomm says, it validated the issue quickly and provided mitigations to OEMs. And, of course, it says that users should only download apps from designated trusted locations such as Google's Play Store. It's also going to be important for users to update their devices whenever those updates become available.