- A critical zero-day vulnerability in Qualcomm chipsets was exploited recently to target Android phone users.
- A total of 64 chipsets, including the Snapdragon mobile chipsets, modems, and other chipsets, are vulnerable.
- Qualcomm has shared a patch for the vulnerability with OEMs, but it's up to phone makers to deliver it to users.
From your Android smartphone’s battery suddenly running out quickly to spotting new apps that you don’t remember installing, how many times have you gotten paranoid about your device being hacked? Turning your worst nightmares into reality, Qualcomm today opened up about a zero-day vulnerability in its chipsets, which has now been patched, that made Android smartphones prone to a cyberattack.
Turns out, the exploitable vulnerability affects a wide range of Qualcomm’s mid-range and flagship chipsets, modems as well as FastConnect modules. In its security bulletin, Qualcomm has listed the chipsets and the vulnerability levels, ranging from medium to critical.
The security flaw was discovered by researchers over at the Google Threat Analysis Group and Amnesty International Security Lab, now confirmed by Qualcomm.
Some of the popular flagship chipsets listed in this bulletin are the Snapdragon 8 Gen 1, 8+ Gen 1, 8 Gen 2, 8+ Gen 2, and 8 Gen 3. Even the Snapdragon X65 5G modem that iPhone 14 models use as well as the Snapdragon X75 5G that the latest iPhone 16 use are at risk.
Even older Qualcomm chipsets like the Snapdragon 662, 680, 695, 765, 865+, 888, and 888+ are also affected by the vulnerability. From the looks of it, neither entry-level nor flagship-grade Qualcomm-using Android phones are safe.
The vulnerability tagged CVE-2024-43047, in the report mentions,
Multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.
The suggested course of action listed on America’s Cyber Defence Agency’s website is to, “apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.” Moreover, Qualcomm stated that it has shared the patch addressing this vulnerability with OEMs and alerted them to roll it out to users as soon as possible.
Now, although iPhones are using Qualcomm’s affected 5G modems, it’s unclear whether they are at risk too. Moreover, it was mostly individuals affected by said vulnerability in hacking campaigns. The motive behind exploiting this vulnerability in Android phones is also unclear. Hopefully, more concrete details about the affected users will surface online in the coming days.
For now, all you can do is hope that you get the zero-day vulnerability patch from your phone maker at the earliest. With cyberattacks increasing at an unprecedented scale globally, companies need to buckle up and conduct active audits of their security systems to detect such vulnerabilities. What do you think about the entire debacle of Qualcomm’s chipset vulnerability? Drop your thoughts in the comments down below.