Forget malware—the latest shocking warning about vulnerabilities in Android devices gets to the very heart of the device, its 5G chipset. If exploited, this flaw would allow “dangerous” malware to hide inside your device “and never be removed.”
We’ve been here before. The security team at Check Point has previously “hacked into Qualcomm’s TrustZone on Android devices—the “hardware-enforced isolation built into the CPU.” That flaw was patched, but the silicon threat vector remains open.
Now Check Point has issued another warning along the same lines, “a security vulnerability in Qualcomm’s 5G mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world’s phones.”
That means “hundreds of millions” of devices, Check Point says, exposed to “an attacker using Android OS itself as an entry point to inject malicious and invisible code into phones, granting an attacker access to call history, SMS messages and audio of phone conversations.” Think credential and data theft as well as spyware.
The impacted chip manages the connections to cellular networks. Yaniv Balmas, Check Point’s head of cyber research, tells me. “These chips are the crown jewels for mobile exploitation—if you find a vulnerability in the way the chip handles incoming calls or SMS, you can potentially exploit a phone by just sending a message, or a call.”
While the potential for such a zero-click attack is deeply concerning, exploitation is extremely challenging—we’re talking nation state level conops. “These mobile chips are super-hard to research,” Balmas explains. “They are almost exclusively proprietary, taking a look inside is a really hard task that may take years to accomplish.”
Following Check Point’s disclosure, this latest flaw was patched by Qualcomm in December 2020. But it’s down to phone manufacturers to roll out updates. The issue affects “hundreds of millions of high-end phones,” Check Point says. And it’s not just Samsung—certain phones from Google, LG, Xiaomi and One Plus are also at risk. But at the premium end of the 5G market, Samsung will be the most impacted by far.
Qualcomm told me that “providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available.”
“We found some pretty interesting vulnerabilities there that can lead to Remote Code Execution,” Balmas warns. “The application itself could do anything a malicious application does—steal your data, tap your calls and SMS.” And while attacking the chip from outside is not really viable, it can be attacked by malware on the device, which can then hide on the chip, making itself undetectable and impossible to remove.
“There is the usual issue here with closed source code,” Balmas says, “the fact these chips are very hard to inspect means you need to trust Qualcomm’s security, which historically is not a good idea—not specifically Qualcomm, but in general.”
Balmas is not yet confident that this vulnerability will have been patched in enough phones to eradicate the risk. “There is a long supply chain here: Qualcomm to phone vendors to consumers. That makes it really hard to fix such issues once found. It took us a really long iterartion with Qualcomm in order to address this issue. We’re talking about a minimum of one year until fixes arrive with consumers.”
This issue again highlights the disparity between iOS and Android when it comes to critical updates. Even with Samsung, there is a complex update process, differing by region and flagships versus cheaper phones. It is certainly not on Apple-like rails.
“We reported the issue at the beginning of October 2020,” Balmas tells me. “Qualcomm released a patch for most models in December, and Samsung just released a patch this month for many of their leading models. That said, they did mention that the patch might not include old or less popular models as this is a huge process that needs to be done on their side. And that is of course only Samsung… the rest of the phone vendors surely are having simmiliar issues.”
As SamMobile explains, “if Samsung says a device is scheduled to get monthly updates, it may not provide a monthly update for that device in every country or region… Carriers also affect the schedule for some devices. For example, some carriers may choose to put a device on a quarterly schedule even if Samsung provides a monthly update for unlocked units… There are no guarantees, basically, and while Samsung releases security updates with impressive regularity, it’s always possible a Galaxy phone or tablet may miss out on some security patches from time to time.”
I reached out to Samsung for confirmation that this update has been made available for their 5G smartphones and an indication of the numbers of devices still left exposed, but have not received a response. I will add any updated information here.
We have seen Apple issue multiple urgent updates in recent months, fixing high-risk iPhone issues quickly, with an ease of deployment and compliance. That simply isn’t the case with Android and Samsung, where phone manufacturers run their own processes after Google or Qualcomm or others have released a fix.
That means there is a much lower level of update compliance on Android than iOS, which means a much greater likelihood of exploitation of vulnerabilities even when they have been patched. Ultimately, this is the biggest security issue for Android users, so much so that it prompted my Straight Talking Cyber colleague Davey Winder to swap his longtime run with Samsung Galaxy phones for an iPhone instead.
That said, if you do have a Samsung Galaxy 5G phone then you should make sure you have the latest update installed. Samsung is better than most Android manufacturers at pushing out updates, but there’s still some time between a component fix and one of its own updates. “My main message,” Balmas says, “is to update now to the latest OS on your mobile.” Indeed, and keep doing the same.