This story was originally published and last updated .
Google and other Android manufacturers try to keep on top of the hardware and software security, at varying degrees of intensity. But a vulnerability in widely-used Qualcomm SoCs disclosed by Check Point Research today was particularly alarming. It could theoretically allow a malicious app to patch the software for Qualcomm’s MSM modem chips, giving it access to call and text history or even the ability to record conversations. Thankfully, most Samsung phones have already received a patch fixing the problem, and the rest is in for an update next month.
Check Point’s breakdown of the issue is extremely technical. But to put it in layman’s terms, vulnerabilities were found in the connections between the Qualcomm Modem Interface (QMI) software layer of the modem and the debugger service, allowing it to dynamically patch the software and bypass the usual security mechanisms. Standard third-party apps don’t have security privileges to access to QMI, but if more critical aspects of Android were compromised, this attack could be used.
With the vulnerabilities they found, the researchers determined that a malicious app could listen in to and record an active phone call, get call and SMS records, or even unlock a SIM card. Check Point estimates that the QMI software it discovered as vulnerable is present in approximately 40% of smartphones, from vendors including Samsung, Google, LG, OnePlus, Xiaomi, and more.
Samsung was quick to issue a statement on the issue itself, saying that “While a number of Samsung devices have already been patched starting in January of 2021, most Samsung devices with an Android Security Patch Level of May 1, 2021 or later, will be considered protected from the disclosed vulnerability.” The company encourages owners to install patches as soon as they’re available.
While the methods for this attack were described in broad terms, specific necessary information was withheld from the report in order to prevent anyone from easily duplicating the process. As of now, there’s no indication that this method of attack is actually being used “in the wild.”
Qualcomm has been aware of this issue since CPR disclosed it to it in October of last year, and has confirmed it as a high-rated vulnerability, passing it along to Android manufacturers that use its modems. At the time of writing the vulnerability has not been fixed, but presumably both Qualcomm and Google are working on incorporating a solution into a future security patch.
After we posted this story, a Qualcomm representative reached out to us with an official comment from the company:
Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available.
The representative went on to say that “many” Android OEMs have already issued the relevant security updates to end users, and that there’s no specific evidence that the vulnerability discovered by Check Point is being used. The vulnerability will be included in the public Android bulletin in June.