A recently identified flaw in microchips powering Android devices means that as many as 1 billion phones are vulnerable to data theft, according to reports.
Ars Technica is writing that the devices are “vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researches reported.”
Those researchers are saying that flaws in the microchips can be exploited by simply watching a video or listening to a song that is rendered by the microchip in question; meaning that it can make significant changes to your device without explicit permission.
The research comes from Check Point software technologies, who published their report on the vulnerabilities that they’ve nicknamed ‘Achilles’.
Check Point makes it clear that this is extremely significant considering that the manufacturer of the Snapdragon microchips, Qualcomm Technologies supplies microchips to more than 40% of the smartphone market, including directly to manufacturers like Samsung, Google, LG, OnePlus and Xiaomi.
According to numbers from Ars Technica, Snapdragon microchips are found in 90% of Android devices in the US market.
“Snapdragon microchips are found in 90% of Android devices in the US market.”
In total, researchers at Check Point found 400 “vulnerable pieces of code” within the DSP microchips they tested, and found that these vulnerable pieces of code can translate into some nasty real-world impacts for the user.
According to the publishing from Check Point, attacks can potentially “turn the phone into a perfect spying tool, without any user interaction required,” as well as being “able to render the mobile phone constantly unresponsive,” and finally, being able to “completely hide their activities and become un-removable.”
For more information on ISO 27001 – Information Security Management Systems – or for your Free ISO 27001 Gap Analysis Checklist, please click here.
The authors state that “while DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features – they do come with a cost.”
“These chips introduce new attack surfaces and weak points to these mobile devices. DSP chips are much more vulnerable to risks as they are being managed as ‘Black Boxes’,” Check Point writes.
The manufacturer of these chips, Qualcomm has since issued a statement outlining that “regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs,” otherwise known as original equipment manufacturers, like Samsung, Google or OnePlus that the company sells its hardware to.
“We have no evidence it is currently being exploited,” Qualcomm added.
“We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” it said.
The researching team at Check Point added that the firm “decided not to publish the full technical details of these vulnerabilities until mobile vendors have a comprehensive solution to mitigate the possible risks described… however, we decided to publish this blog to raise awareness of this issue.”
“We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer,” the authors wrote.