Serious Android flaw threatens hundreds of millions of users — what to do
Serious Android flaw threatens hundreds of millions of users — what to do
A deep-rooted flaw in Qualcomm chips threatens hundreds of millions of Android phones.
The news comes form Israeli security firm Check Signal in a new report. The security firm says hackers could utilize the flaw to read your text messages, listen to your phone conversations and in some cases fifty-fifty unlock your SIM card. Qualcomm told Tom's Guide that it has released a prepare for the flaw to handset makers, but information technology may nonetheless be some time before many handset makers button the fix out to nearly users' phones.
- These are the creepy ads Facebook doesn't want you lot to see
- The best Android phones you tin purchase today
- Plus: Chromebooks but became a lot better for working from home
The vulnerability lies in the Mobile Station Modem (i.e., a cellular modem), which dates back to 1990 and is still present in the integrated chipsets of the latest 5G-enabled phones, Check Indicate says.
Check Signal estimates that up to 30% of Android phones worldwide, including elevation models made past Samsung, Google, Xiaomi, LG and OnePlus, accept the Qualcomm modem software that includes this vulnerability. Other top makers using Qualcomm chips include Asus, Sony and ZTE.
Apple devices or Android phones that use chipsets past other manufacturers are not afflicted.
What can you practice virtually this Qualcomm flaw?
There'southward non much you can practice to fix this problem yourself other than to install organisation updates as they come up. Bank check Signal suggests that while yous wait for a ready, y'all should follow the standard Android best practices: Avoid app stores other than Google Play, and run one of the best Android antivirus apps.
"Qualcomm Technologies has already fabricated fixes available to OEMs in December 2020, and we encourage end users to update their devices every bit patches become available," a Qualcomm representative told united states of america.
The itemize number assigned to this flaw, CVE-2020-11292, is not mentioned in whatsoever recent Android security bulletin, including the May Android security bulletin released iii days ago. It'due south possible Google has quietly patched information technology in cloak-and-dagger, although there are plenty of other "closed-source components" in each month'south updates.
A Qualcomm representative told Tom's Guide that the set up would be publicly included in the June Android security bulletin next calendar month.
The Qualcomm representative added that Check Indicate'south attack scenario seems kind of pointless because it would involve breaching Android security first. That would already give the attacker the same kind of data almost texts and calls that could be gleaned from breaking into the MSM modem afterward.
Considering each handset maker crafts its own updates for each model, it's possible that manufacturers such equally Samsung or Sony may have arranged the fix for CVE-2020-11292 into its own updates.
"Nosotros practice not know who patched or non," a Check Indicate representative told Tom's Guide. "From our feel, the implementation of these fixes takes time, so many of the phones are likely yet decumbent to the threat."
Then if your Qualcomm-using telephone has not had a arrangement update since November 2020, it's a safe bet that your phone has not been patched against this flaw. If information technology has had an update since then, and then information technology may have been patched.
Technical details still under wraps
On the upside, there have been no reports of bad guys exploiting this flaw in the wild. Bank check Point has left out several of the technical details of the vulnerability so that readers of its report won't be able to try it themselves.
Qualcomm's modems are pretty difficult to successfully attack from the network side, Bank check Point said. So the Israeli company's researchers took the opposite approach and institute they could hack into the modems from the Android operating system itself.
They were able to inject malicious code into the Qualcomm MSM Interface (QMI), which Check Signal described as "a proprietary protocol that enables communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners."
That injected lawmaking could allow the attackers, or Android malware, read phone call logs and SMS text messages, and overhear on phone calls. Depending on the handset manufacturer, who tin can add boosted capabilities to QMI, the flaw could as well permit attackers unlock the telephone's SIM card.
Android malware could fifty-fifty employ the modem as a place to "hide" from Android'southward security scanners or Android antivirus software, because one would have access to the modem'due south low-level processes.
Check Point notified Qualcomm of this flaw in Oct 2020, and told the chip maker that it would be making the flaw public in April 2021. It's not clear why Check Point waited until a few days into May.
- More: The best Android antivirus software
Source: https://www.tomsguide.com/news/qualcomm-modem-flaw
Posted by: bentonprattaking.blogspot.com
0 Response to "Serious Android flaw threatens hundreds of millions of users — what to do"
Post a Comment