Qualcomm’s Snapdragon chip is one of the widely used processors in Android devices today. In 2019 alone, nearly 40% of all Android smartphones from Google, Samsung, Xiaomi, LG and OnePlus run on Snapdragon processors.
But researchers from cybersecurity firm Check Point recently discovered that the digital signal processor (DSP) in Snapdragon chips had over 400 pieces of vulnerable code that leave millions of Android users at risk. The vulnerabilities dubbed “Achilles”, could impact phones in three ways.
So what exactly is the DSP and what does it do? According to a Gizmodo article, the DSP enables many of the modern features we have come to expect in phones from quick charging, HD capture and advanced Augmented Reality (AR). This would, in essence, make the DSP a super-efficient and economical component but it also opens potential pathways for hackers to take control of devices.
Check Point said attackers need only need to trick a user to install an app that bypasses all usual security measures. The first way they can inflict harm is through a spying tool that enables them to access a phone’s photos, videos, GPS and location data. Even scarier, hackers are could potentially record phone calls and turn on the phone’s microphones remotely, all without the user ever realising.
Another way is an attacker could choose to render an infected smartphone unusable by locking all data stored on it via a “targeted denial-of-service attack”. The third way they can get you is by hiding malware in your phone that is unremovable.
But why are there so many vulnerabilities? Researchers said this is because the DSP is like a “black box” that can only be opened and reviewed by the manufacturer. Though this makes it hard to crack but it also means that security researchers cannot easily test them, making them ripe for several unknown security flaws.
Check Point said it has disclosed its findings to Qualcomm and affected vendors. It, however, did not publicly publish the particulars of the Achilles flaw as millions of devices still remain at risk. Even though Qualcomm reported that it has since fixed the issue, that doesn’t that your Android phone is safe. It is still up to individual phone makers to push the relevant security patches to truly resolve this vulnerability and that will inevitably take some time.
Qualcomm told CNET that it has “worked diligently to validate the issue and make appropriate mitigations available” to smartphone makers. So far the company has not found any evidence of the Achilles vulnerability exploited in the wild, it advised Android users to update their phones with the latest patches as they become available as well as to only install verified apps from official app stores.
At the same time, Check Point advises users to protect their data on their phones with mobile security solutions. Its SandBlast Mobile is said to provide real-time threat intelligence and visibility into the threats while providing complete protection against the risks posed by Qualcomm’s vulnerabilities.