07 May 21, 13:55
Quote:A vulnerability in a 5G modem data service could allow mobile hackers to remotely target Android users by injecting malicious code into a phone’s modem – gaining the ability to execute code, access mobile users’ call histories and text messages, and eavesdrop on phone calls.
That’s according to Check Point Research, which said that the bug (CVE-2020-11292) exists in the Qualcomm Mobile Station Modem (MSM) Interface, which is known as QMI for short. MSMs are systems on chips (SoCs) designed by Qualcomm, and QMI is a proprietary protocol used to communicate between software components in the modem and other peripheral subsystems.
The impact of the bug could be far-reaching: MSMs have been used since the pre-mobile internet 2G era of mobile devices, and QMI is used in roughly 30 percent of the globe’s handsets, according to Check Point, including Google Pixels, LG models, OnePlus devices, Samsung’s flagship Galaxy line and Xiaomi phones.
As for attack vector, essentially, attackers can exploit the bug to attack a mobile device remotely, via a malicious or trojanized Android application, a Check Point spokesperson told Threatpost.
“The vector involves a target installing a malicious application,” he said. “Assuming a malicious application is running on the phone, it can use this vulnerability to ‘hide’ itself within the modem chip, making it invisible in terms of all security measures on phones today.”
The spokesperson said that Check Point decided not to share all the technical details of the bug, lest it give hackers a roadmap on how orchestrate an exploitation. However, he noted that “basically, we tried ‘attacking’ the chip from within the phone itself, instead of from the carrier side. We went onto find some interesting vulnerabilities there that lead to remote code execution.”
He added, “furthermore, the vulnerability can allow ‘playing around’ with the modem itself. For example, [taking over a SIM card] and unlocking a phone that is fixed to be used by a certain carrier.”
A fix has been issued by Qualcomm, however the patches will be slow to roll out. As with all Android OEM issues, each handset vendor will need to apply the fix for its customers.
“Qualcomm says it has notified all Android vendors, and we spoke to a few of them ourselves,” the spokesperson told Threatpost. “We do not know who patched or not. From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat.”
Read more: Qualcomm Chip Bug Opens Android Fans to Eavesdropping | Threatpost