Qualcomm’s Mobile Station Modems Vulnerability Puts Android Users’ Privacy at Risk
Researchers Believe That If Exploited, the Flaw Would Allow Attackers to Use the Android OS as An Entry Point to Inject Malicious Code into Smartphones.
A security flaw affecting Qualcomm’s mobile station modems (MSM) was recently disclosed by Check Point’s research team, who claims that the vulnerability could be exploited to inject malicious code into the phone by using the Android OS as an entry point. The impacted chip(s) are reportedly responsible for connecting nearly 40% of all smartphones in the world, including high-end phones from Samsung and other OEMs.
According to the team,
If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI.
The investigation revealed a “vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor.” Dubbed CVE-2020-11292, the flaw could allow threat actors to inject malicious code into the modem from Android, giving them access to the user’s call history and SMS, as well as the ability to listen to the user’s conversations. Hackers can exploit the vulnerability to unlock the SIM, overcoming the limitations of the service providers imposed on the mobile device.
Fortunately, although it was just recently revealed to the public for obvious security reasons, the flaw has already been patched by Qualcomm in December 2020.
However, numerous Samsung (and other OEMs) smartphones are still vulnerable. Generally, if a part manufacturer such as Qualcomm releases a patch for its hardware, it’s up to smartphone OEMs to distribute the update accordingly. In the case of Android OS where fragmentation is par for the course, some devices will be updated sooner than others, with availability differing by region.
Smartphone OEMs (Samsung included) should find themselves in the process of updating their devices to address the vulnerability.
SamMobile notes that although it might not contain the necessary fixes for this issue, the May 2021 security patch is rolling out for numerous Galaxy devices. The security patch does include a fix for devices powered by both Exynos and Qualcomm chipsets, but it doesn’t seem to match Check Point’s description.
Unlike traditional endpoints, mobile devices present a different threat surface. Check Point researchers advise you to follow mobile-specific security best practices to secure these devices:
- Always update your mobile devices to the latest version of the OS to protect against the exploitation of vulnerabilities;
- Only install apps downloaded from official app stores to reduce the probability of downloading and installing mobile malware;
- Enable ‘remote wipe’ capability on all mobile devices to minimize the probability of loss of sensitive data;
- Install a security solution on your device.