Recently, Israeli security firm Check Point Research announced that it found a flaw in Qualcomm’s chips that could allow hackers to listen in on your calls. This is a big deal considering a very large portion of Android devices are powered by the Snapdragon series of processors made by Qualcomm.
Popular smartphones from Samsung, Google, OnePlus, LG, and more all use Qualcomm’s chipsets. Check Point says that it’s possible up to 30% of all Android phones could be affected. However, if you’re using a phone powered by another chipset, such as MediaTek, Exynos, or Kirin–then your device would be unaffected.
According to the report, the flaw is located in the Mobile Station Modem and has been present in Qualcomm chips since the early 1990s up until present day.
We discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor. An attacker can use such a vulnerability to inject malicious code into the modem from Android. This gives the attacker access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations. A hacker can exploit the vulnerability to unlock the SIM, thereby overcoming the limitations of the service providers imposed on the mobile device.
It is not known if the flaw has been exploited out in the wild yet, but Check Point first reported it to Qualcomm back in October of 2020. In a statement to Tom’s Guide, Qualcomm says it made a fix available to patch the flaw back in December 2020.
However, the catalog number for the bug, CVE-2020-11292, has not been referenced in any security bulletins published for Android. Perhaps Google patched it quietly, or another manufacturer such as Samsung has done so. Regardless, if you haven’t received a security update for your phone since November 2020, then your phone is most likely vulnerable.
There’s really nothing you can do about it at this time though, except for continuing to check for updates for your phone. The good news is, Qualcomm says a scenario where your phone would be exploited by this flaw is very unlikely because it would require breaching Android security first.
Furthermore, Check Point also left out many technical details about the vulnerability to prevent aiding any hackers in using it, and there have not been any reports of it being used as of yet.