Over a billion smartphones are affected by a set of 400 security flaws, turning them into perfect spying tools, Check Point has revealed. The recently discovered vulnerability affects over 40% of Android phones around the world — 90% of them are currently in the US market.
Major brands such as Google, Samsung, LG, Xiaomi, and OnePlus are also affected by the vulnerabilities. The “Achilles” security flaws exist in the Qualcomm’s Snapdragon digital signal processors (DSP) used for managing Android’s daily functions.
Although the company released security fixes, both the Android operating system and Android device makers have yet to apply the updates.
DSP operation on Android phones
The DSP is a software and hardware component optimizing various features of Android phones. The chip manages functions such as image processing, multimedia streaming, computer vision, audio and voice functions, artificial intelligence, and augmented reality.
Hardware vendors also utilize the DSP chips to run dedicated apps and implement customized experiences on Android phones.
However, attackers could exploit the security flaws when an Android user downloads content rendered on the Snapdragon DSPs.
Risk posed by the “Achilles” security flaws on Android phones
According to Check Point, attackers could turn an Android smartphone into a perfect spying tool without the user’s knowledge. The security flaws allow hackers to exfiltrate media files such as photos, videos, and call-recordings.
Additionally, criminals could access real-time data, such as microphone data, GPS, and location data.
The attackers could also freeze the affected Android phones, rendering them unresponsive. This weakness allows criminals to execute targeted distributed denial of service (DDoS) attacks on the affected phones.
The vulnerability also allows hackers to download, install, and hide malware on Android phones. Cybercriminals only need to trick an Android user into downloading a benign application without requiring any permissions on the Android device.
Google provides the first line of defense by blocking Snapdragon’s DSP-exploiting apps from its Play Store. However, given Google’s poor app vetting record, such applications are likely to evade the company’s review system. Similarly, users could still download rogue apps from third-party stores and email attachments.
The risk posed by the “Achilles” security flaws is high because the DSP chip operates in a “Black Box” mode, according to Check Point. Only the manufacturer could review its functionalities, operations, design, and code.
Check Point used the “state-of-the-art fuzz testing technologies” to overcome the challenges in testing over 400 vulnerable code pieces in Snapdragon DSP chips.
Response from the parties involved
When asked to give the expected turnaround time for fixing the security flaws discovered by Check Point, Google referred the experts to the chipmaker. In response, Qualcomm released a statement acknowledging the vulnerability and assuring Android users that a solution was forthcoming.
“Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs.”
The company claimed to have no evidence of hackers exploiting the security flaws in the wild. However, Qualcomm said it would “encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
Check Point also withheld technical details of the vulnerabilities to avoid giving criminals any leads on how to exploit the affected devices. However, the firm released tracking codes for the vulnerabilities as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.
Mitigating Snapdragon’s “Achilles” security risk
Although Qualcomm released fixes for the “Achilles” security flaws, the Android operating system has yet to incorporate the changes. Similarly, no Android device manufacturer has included the updates in their OEMs.
Given the fragmented nature of the Android ecosystem, the implementation of such fixes may never happen for the majority of Android devices. The reason being that many Android phone manufacturers provide a limited support period. Such vendors are unlikely to support their older models already in the market.
Additionally, most Android device manufacturers end the development of their older devices’ OEMs once they release a new model into the market. Consequently, the risks associated with the “Achilles” security flaws may last for a lifetime on some devices.