A vulnerability found in nearly 40% of all smartphones could allow hackers to access users’ call and text history and even listen to phone conversations.
Security firm Check Point Research (CPR) found the security flaw classified as CVE-2020-11292 in Qualcomm’s mobile station modems (MSM), the chip used for cellular communication in many mobile phones, including those manufactured by Google, Samsung, LG, Xiaomi, and OnePlus.
Designed to support advanced features in high-end phones
CPR said that many mobile phone makers now rely on third parties such as Qualcomm to produce hardware and software for their phones amid demand for these devices. More than 3 billion people worldwide now use mobile phones, and the number is expected to rise in the coming years.
Picks for you
Qualcomm designed MSM for high-end phones to support advanced features such as 4G LTE and high definition recording.
“MSM has always been and will continue to be a popular target for security research and for cybercriminals. After all, hackers are always looking for ways to attack mobile devices remotely, such as by sending an SMS or a crafted radio packet that communicates with the device and has the ability to take control of it,” CPR wrote in a blog post.
Securing mobile devices
A Qualcomm representative told Tom’s Guide that CPR’s attack scenario would require breaking into Android security first, which means that a successful exploit would already give the attacker access to the mobile phone user’s text and call information.
The representative said that Qualcomm will publicly include a fix for the vulnerability in the June Android security bulletin next month.
“Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end-users to update their devices as patches become available,” the Qualcomm representative said.
CPR said that mobile phone users should observe security best practices to safeguard their devices from attackers.
It said that phones should always be updated to the latest version. It also advised users only to install apps from the official app stores, install a security solution on their devices, and enable “remote wipe” capability on their device to minimize the possibility of losing sensitive data.
