Android smartphones that are running on a specific Qualcomm digital signal processor (DSP) chip are reported to have as many as 400 vulnerabilities. Security research firm Check Point discovered this in its research, and stated that this allows hackers to access sensitive information, render the mobile phone constantly unresponsive, and allow malware and other malicious code to completely hide their activities and become un-removable. The Qualcomm DSP chips are found in high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and many more.
According to Check Point, Qualcomm knew of these vulnerabilities earlier on, and had also acknowledged them, while notifying relevant device vendors regarding the vulnerabilities. It assigned several CVE fixes to device vendors including CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
In a statement to the media, a spokesperson from Qualcomm said, “Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
These hundreds of vulnerabilities can allow hackers to turn the phone into a spying tool, without any user interaction, gain access to photos, videos, call-recording, real-time microphone data, GPS and location data.
While we are yet to know the exact number of phones affected by this, Qualcomm chips are embedded into nearly 40 percent of mobile phones in the market, according to a Strategy Analytics report from 2019.