Nasty Android malware could put millions at risk — what to do now

(Image credit: Shutterstock)

If you’ve bought an Android phone at any point in the last decade, there’s a good chance it’s powered by a Qualcomm chip. The company’s smartphone market share has rarely dropped below 40% worldwide in the last few years — and that figure includes iPhones that exclusively run Apple processors. 

With that in mind, you should be alarmed by the latest research from Check Point, which reveals that Qualcomm chips have over 400 vulnerabilities built in.

The potential issue, dubbed Achilles, arises in the digital signal processing (DSP), which handles much smartphone functionality including charging, video and audio. Check Point’s research shows that these vulnerabilities could potentially be exploited by a target downloading a malicious video or a dubious app.

If a user downloaded a malicious file that exploited one of these flaws, their phone would be at the mercy of a third party, with hackers able to access files and location data, or even turn the handset into a spying tool by switching on the microphone at will. 

Alternatively, additional malware could be smuggled or, or a malicious type could just lock away all the data. However you paint it, it’s bad news if you’re infected.

“While DSP chips provide a relatively economical solution that allows mobile phones to provide end users with more functionality and enable innovative features — they do come with a cost,” Check Point writes in its report. 

“These chips introduce new attack surface and weak points to these mobile devices. DSP chips are much more vulnerable to risks as they are being managed as ‘Black Boxes’ since it can be very complex for anyone other than their manufacturer to review their design, functionality or code.”

After all this bad news, here’s a bit of good. Firstly, there’s no evidence that the problem is being exploited ‘in the wild’ yet, which is a relief. 

Secondly, Qualcomm has fixed the flaw before anyone has managed to take advantage. 

“We worked diligently to validate the issue and make appropriate mitigations available to OEMs,” the company said in a statement, adding that users should “update their devices as patches become available.”

Did you spot the bad news in that paragraph? That’s right: said patches aren’t available yet. 

While Qualcomm has made the fix, it’s yet to be added to the Android OS by Google or patched into software updates by any manufacturer. And while Check Point hasn’t released technical details about the vulnerability yet, it is nonetheless still out there if a malicious third party figures it out for themselves. 

In the meantime, therefore, you should be extra vigilant when following links or downloading apps. Use the Google Play Store if you can — but even then be careful, as Google’s app vetting procedures have never exactly been watertight

Alan Martin

Freelance contributor Alan has been writing about tech for over a decade, covering phones, drones and everything in between. Previously Deputy Editor of tech site Alphr, his words are found all over the web and in the occasional magazine too. When not weighing up the pros and cons of the latest smartwatch, you'll probably find him tackling his ever-growing games backlog. Or, more likely, playing Spelunky for the millionth time.