According to a security research company, Check Point, there is a vulnerability in Qualcomm’s 5G modem chip. According to the research agency, this vulnerability will affect about 30% of Android smartphones globally. The discovery of this vulnerability dates back to December last year. It may allow hackers to remotely attack Android users by injecting malicious code into the phone’s modem, gain the ability to execute code, access mobile users’ call records and text messages, and eavesdrop on calls. According to reports, this vulnerability affects Google Pixel, LG smartphones, OnePlus, Samsung Galaxy series, and Xiaomi devices. Fortunately, Samsung’s May 2021 security update has resolved this Qualcomm security vulnerability. Earlier today, Samsung updated its security bulletin with the latest patch to confirm this.
Previously, Samsung’s May 2021 security patch update log did not mention Qualcomm’s “CVE-2020-11292” vulnerability. Today Samsung updated this page to include new information about the vulnerability. It is worth mentioning that Samsung also mentioned in its May 2021 security patch announcement that the company has been patching the vulnerability since January 2021.
The company did not disclose the Galaxy devices that have this update before May. However, the fix is now part of the latest security patch. This update is already available for low-end to high-end Samsung Galaxy smartphones.
Qualcomm’s chip vulnerability
According to Check Point Research, the vulnerability (CVE-2020-11292) exists in Qualcomm’s mobile station modem (MSM) interface, called QMI. MSM is a system on chip (SoC) from Qualcomm. QMI is a proprietary protocol for communication between software components in the modem and other peripheral subsystems.
The impact of this vulnerability may be far-reaching. MSM has been in mobile devices since the 2G era. According to Check Point data, QMI is used in about 30% of mobile phones worldwide.
A Check Point spokesperson said, “assuming a malicious application is running on a mobile phone, it can use this vulnerability to hide in the modem chip, making it invisible to all current security measures on mobile phones”.
Fortunately, Qualcomm already has a fix, but the rollout of the patch will be slow. According to Qualcomm, it has notified all Android vendors. However, the company does not know which of these vendors eventually released the patch to their users.
This is not the first time that Qualcomm’s chips will be having serious defects. For example, Check Point disclosed six serious flaws in Qualcomm’s Snapdragon mobile chipset at DEF CON last year. This vulnerability exposed about 40% of Android smartphones to denial of service and other attacks.