Serious Android flaw threatens hundreds of millions of users — what to do

Android 12 release date, beta and features
(Image credit: Photo Illustration by Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)

A deep-rooted flaw in Qualcomm chips threatens hundreds of millions of Android phones.

The news comes form Israeli security firm Check Point in a new report. The security firm says hackers could use the flaw to read your text messages, listen to your phone conversations and in some cases even unlock your SIM card. Qualcomm told Tom's Guide that it has released a fix for the flaw to handset makers, but it may still be some time before many handset makers push the fix out to most users' phones.

The vulnerability lies in the Mobile Station Modem (i.e., a cellular modem), which dates back to 1990 and is still present in the integrated chipsets of the latest 5G-enabled phones, Check Point says.

Check Point estimates that up to 30% of Android phones worldwide, including top models made by Samsung, Google, Xiaomi, LG and OnePlus, have the Qualcomm modem software that includes this vulnerability. Other top makers using Qualcomm chips include Asus, Sony and ZTE. 

Apple devices or Android phones that use chipsets by other manufacturers are not affected.

What can you do about this Qualcomm flaw?

There's not much you can do to fix this problem yourself other than to install system updates as they come. Check Point suggests that while you wait for a fix, you should follow the standard Android best practices: Avoid app stores other than Google Play, and run one of the best Android antivirus apps. 

"Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available," a Qualcomm representative told us.

The catalog number assigned to this flaw, CVE-2020-11292, is not mentioned in any recent Android security bulletin, including the May Android security bulletin released three days ago. It's possible Google has quietly patched it in secret, although there are plenty of other "closed-source components" in each month's updates.

A Qualcomm representative told Tom's Guide that the fix would be publicly included in the June Android security bulletin next month. 

The Qualcomm representative added that Check Point's attack scenario seems kind of pointless because it would involve breaching Android security first. That would already give the attacker the same kind of information about texts and calls that could be gleaned from breaking into the MSM modem afterward.

Because each handset maker crafts its own updates for each model, it's possible that manufacturers such as Samsung or Sony may have bundled the fix for CVE-2020-11292 into its own updates.

"We do not know who patched or not," a Check Point representative told Tom's Guide. "From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat."

So if your Qualcomm-using phone has not had a system update since November 2020, it's a safe bet that your phone has not been patched against this flaw. If it has had an update since then, then it may have been patched.

Technical details still under wraps

On the upside, there have been no reports of bad guys exploiting this flaw in the wild. Check Point has left out several of the technical details of the vulnerability so that readers of its report won't be able to try it themselves.

Qualcomm's modems are pretty hard to successfully attack from the network side, Check Point said. So the Israeli company's researchers took the opposite approach and found they could hack into the modems from the Android operating system itself.

They were able to inject malicious code into the Qualcomm MSM Interface (QMI), which Check Point described as "a proprietary protocol that enables communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners."

That injected code could let the attackers, or Android malware, read call logs and SMS text messages, and  eavesdrop on phone calls. Depending on the handset manufacturer, who can add additional capabilities to QMI, the flaw could also let attackers unlock the phone's SIM card.

Android malware could even use the modem as a place to "hide" from Android's security scanners or Android antivirus software, because one would have access to the modem's low-level processes.

Check Point notified Qualcomm of this flaw in October 2020, and told the chip maker that it would be making the flaw public in April 2021. It's not clear why Check Point waited until a few days into May.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.