Cybersecurity researchers have disclosed a new security vulnerability in Qualcomm’s mobile station modems (MSM) that could potentially allow an attacker to leverage the underlying Android operating system to slip malicious code into mobile phones, undetected.
“If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations,” researchers from Israeli security firm Check Point said in an analysis published today.
The heap overflow vulnerability, tracked as CVE-2020-11292, could be exploited by a malicious app to conceal its activities “underneath” the OS in the modem chip itself, thus making it invisible to the operating system and the security protections built into it.
Designed since the 1990s, Qualcomm MSM chips allows mobile phones to connect to cellular networks and allow Android to take to the chip’s processor via the Qualcomm MSM Interface (QMI), a proprietary protocol that enables the communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners.
While 40% of all smartphones today, including those from Google, Samsung, LG, Xiaomi, and One Plus, use a Qualcomm MSM chip, an estimated 30% of the devices come with QMI in them, according to research from Counterpoint.
“An attacker could have used this vulnerability to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations,” the researchers said. “A hacker can also exploit the vulnerability to unlock the device’s SIM, thereby overcoming the limitations imposed by service providers on it.”
Check Point said it notified Qualcomm of the issue on Oct. 8, 2020, following which the chipmaker notified relevant mobile vendors. However, neither Qualcomm’s May 2021 Security Bulletin, which was published on May 5, nor Google’s monthly Android Security Bulletin mentions the vulnerability. We have reached out to the company for more details, and we will update the story if we hear back.
This is not the first time critical flaws have been found in Qualcomm chips. In August 2020, Check Point researchers disclosed more than 400 security issues — collectively called “Achilles” — in its digital signal processing chip, enabling an adversary to turn the phone into a “perfect spying tool, without any user interaction required.”
“Cellular modem chips are often considered the crown jewels for cyber attackers, especially the chips manufactured by Qualcomm,” said Yaniv Balmas, head of cyber research at Check Point. “An attack on Qualcomm modem chips has the potential to negatively affect hundreds of millions of mobile phones across the globe.”