Android smartphones running on a specific Qualcomm digital signal processor (DSP) chip are reported to have as many as 400 vulnerabilities. Security research firm Check Point in its research discovered that these vulnerabilities allow hackers to access sensitive information, render the mobile phone constantly unresponsive, and allow malware and other malicious code to completely hide their activities and become un-removable. Check Point says that Qualcomm DSP chips are found in high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.
CheckPoint Tested the DSP chip and discovered over 400 vulnerable pieces of code. If exploited it can allow hackers to turn any smartphone into a spying tool without the user’s interaction. Hackers can get access to data including photos, videos, call recordings, real-time microphone data, GPS and location data as well.
Hackers can also push a denial-of-service attack which would freeze the phone. This way all the data on the phone will be permanently available. Another potentially dangerous thing is that hackers can inject malware and malicious code on these phones that will not only hide their activities but even make them unremovable.
CheckPoint hasn’t revealed the technical details of how these vulnerabilities can be exploited.
“We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer,” CheckPoint said.
CheckPoint did inform Qualcomm and the company has patched six security flaws discovered. But for Android phone users to be completely safe, mobile phone vendors will have to roll out the security fixes to their smartphones.
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” Qualcomm said in a statement to Bleeping Computer.
The Qualcomm chip security loopholes affect only Android smartphones. iPhones are safe since Apple uses in-house chips. Other than Qualcomm, MediaTek chipsets are mostly used on Android phones and in-house chipsets such as Samsung’s Exynos and Huawei’s Kirin.