Security scientists who believe that a weakness that can be used to insert malicious code mostly on mobile by using the Android operating system itself as a port of entry has recently been reported as a grave security flaw concerning Qualcomm mobile station modems (MSM). The impacted chip(s) would connect nearly 40% of all smartphones, such as Samsung and other OEM's high-end phones, in the world.
Qualcomm MSM is a 2G, 3G, 4G, and 5G-capable Chip System (SoC) used by several vendors, such as Samsung, Google, LG, OnePlus, and Xiaomi, for approximately 40 percent of cell phones.
"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones," as per the Check Point researchers who found the vulnerability tracked as CVE-2020-11292.
The security vulnerability can also allow attackers to activate the SIM module used to safely store the network authentication information and contact details on mobile devices.
The criminals have to misuse a stack overflow vulnerability in the Qualcomm MSM Interface (QMI), which is being used by the cellular processors for interface with the software stack, to exploit CVE-2020-11292 and monitor the modem and remotely repair it from the application processor.
Malicious apps could then use the loophole to mask their activities from the modem chip on its own and effectively invisibly track malicious behavior using Android security features.
"Going forward, our research can hopefully open the door for other security researchers to assist Qualcomm and other vendors to create better and more secure chips, helping us foster better online protection and security for everyone."
Following the study, Qualcomm produced security patches to resolve the security problem CVE-2020-11292 and delivered them to all affected vendors in December 2020, two months later. Qualcomm's priorities are the availability of solutions supporting comprehensive safety and privacy. While in December 2020, Qualcomm Technologies provided OEMs with updates and they encourage end-users to upgrade their devices when patches are available.
As Qualcomm sent the CVE-2020-11292 patches to OEMs last year, it ought to be safe against efforts to jeopardize any modernized devices for Android users with newer devices often receiving security and system updates. Unfortunately, it might not be that lucky for all those who didn't upgrade to a new smartphone promoting newer Android launches over the last few years.
Given the reality, about 19% of all Android devices run Android Pie 9.0 (launched in August 2018) and over 9% Android 8.1 Oreo (launched in December 2017) as per the Stat Counter data.
Last year Qualcomm rectified the Digital Signal Processor Chip (DSP), which allows attackers to monitor smartphones, spy on the users, and build immovable malware which can avoid detection, with much more vulnerabilities that could impact Snapdragon.
KrØØk was also repaired by Qualcomm in July 2020, a security bug that can be used to decipher certain WPA 2 encrypted wireless network packets.
In 2019, yet another bug was fixed which enabled access to sensitive data and two faults in the SoC WLAN firmware that permitted over the air compromise of the modem and kernel.