Qualcomm Chip Vulnerability Affects 30% Of All Smartphones, Lets Hackers Eavesdrop On Your Calls

Our smartphones, over the years, have from a tool used primarily by tech enthusiasts to something that almost everyone walks around with today. As such, our smartphones are used for everything from making phone calls, to texting, to gaming, to taking photos, to banking.

And when it comes to smartphones, Android devices have the most market share, and the majority of them are using Qualcomm Snapdragon SoCs. Besides featuring a powerful CPU and GPU, modern Snapdragon SoCs also feature an integrated modem that gives you 4G LTE and 5G connectivity.

Unfortunately, the folks from Check Point Research have discovered a vulnerability in Qualcomm's Mobile Station Modems (MSM). Google's Android operating system can access the MSM through the Qualcomm MSM Interface (QMI), and that's where the Checkpoint researchers were able to probe a rather nasty vulnerability involving QMI.

android malware pair

"During our investigation, we discovered a vulnerability in a modem data service that can be used to control the modem and dynamically patch it from the application processor," the researchers explained.

Using the vulnerability, malicious actors could use the Android operating system to inject code into the MSM. Given that the MSM handles all call information coming in and out of the smartphone, it would give attackers access to device call history and SMS data. Perhaps even more concerning is that it would be possible to eavesdrop on active phone conversations and even unlock a smartphone's SIM, defeating carrier protections. QMI is currently in use on 30 percent of smartphones according to Checkpoint.

The vulnerability has been assigned CVE-2020-11292 for tracking purposes and affects most modern Qualcomm MSMs, including the most recent 5G iterations. However, it should be noted that Qualcomm sent patches out to Android OEMs in December after receiving a heads-up from Checkpoint. As a result, if you have a smartphone that receives regular updates from the manufacturer -- a la Samsung, Google, etc. -- you should be safe.

However, if you're using a device that is no longer receiving updates because of age, or if your OEM is laggard with updates, you may simply be out of luck.