Security researchers from Check Point have published a report that highlights a flaw in Qualcomm's Snapdragon chip architecture. Those chips are used in almost every major Android flagship, including models from Google, Samsung, OnePlus, and LG.
According to the researchers, more than 400 flaws were found in the code within Qualcomm's Digital Signal Processor (DSP) chips. Those Systems on a Chip (SoCs) control everything from voice commands to video processing and various audio and multimedia features.
These flaws could allow attackers to use a device to spy on a user without any interaction required. For example, an attacker could potentially gain access to your photos and videos, GPS location data, and even gain real-time access to your microphone.
Likewise, they could install undetectable or unremovable malware, making it possible to render the device completely unresponsive or unrecoverable.
Because these vulnerabilities are in the code within the Qualcomm chip, it will take time for hardware makers to update and patch. In fact, while Qualcomm has already implemented a fix in new chips moving forward.
To emphasize the point, Yaniv Balmas, head of cyber research at Check Point says:
Hundreds of millions of phones are exposed to this security risk. You can be spied on. You can lose all your data... Luckily this time, we were able to spot these issues. But, we assume it will take months or even years to completely mitigate it. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time.
As a result, while the research firm has provided its findings to Qualcomm, it isn't publishing the exact specifications of the exploit in order to prevent it from falling into the hands of bad actors before manufacturers have the opportunity to implement a fix.
According to Check Point, "To exploit the vulnerabilities, a hacker would need to simply persuade the target to install a simple, benign application with no permissions at all."
Here's what the means for you:
First, don't download or install any app that you aren't sure is from a reliable source. I'm not talking about whether you recognize the app, but whether you trust the source. Since you can download apps to an Android device outside of the official Google Play Store, for example, be smart about where you download apps.
That probably seems like common sense, but it shouldn't surprise anyone at this point that hackers are getting pretty good at looking legitimate. That means it's up to you to pay attention and protect yourself. Generally, if it seems too good to be true, or if something seems not quite right, it probably isn't. Otherwise, you may end up paying a much bigger price in terms of your privacy.