Oh, you thought 2020 was done messing with you? Or at least turning down the volume? Nah, there are five months left and the worst year can always get just.. that… much worse. If you’re using an Android smartphone with a Qualcomm Snapdragon chip’s DSP, you’re at risk of having your handset turned into a spying device. And there’s not just one way for it to happen, either.
The collection of 400 or so vulnerabilities is known as Achilles and it involves more than a billion smartphones around the world. Researchers from Check Point have identified issues with Snapdragon DSPs (digital signal processors) — you know, the thing that lets you take photos or render video using your smartphone, among other uses — that could have catastrophic consequences for your smartphone. Literally.
One of the possible hacks — there are three major ones — involves rendering the phone inoperable remotely. Specifically, “…[m]aking all the information stored on this phone permanently unavailable – including photos, videos, contact details, etc – in other words, a targeted denial-of-service attack.”
There’s also the possiblity that an ‘interested party’ could turn your handset into a “perfect spying tool”, and you’d never know because the exploit doesn’t need your involvement. Just the right video being rendered through the chip or the installation of apps that don’t require any of the usual permissions. Information up for grabs? Well, how about “…photos, videos, call-recording, real-time microphone data, GPS and location data”, plus anything else your phone contains.
Oh, yeah, and the way Achilles works, you’d never even know your data was being siphoned off. Malware becomes invisible and impossible to remove.
The fix is in
There’s a fix for the vulnerability available from Qualcomm, but it hasn’t been rolled out to any Android smartphones yet. Ars Technica queried with Google when the fix would be integrated with the Android OS and the company handed the question off to Qualcomm — who didn’t answer.
What Qualcomm did say was: “Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
Which is about all you can do. There’s no way to tell which apps might compromise your handset with the Achilles vulnerability and also no way to tell which videos might be booby-trapped. Check Point has intentionally held off on publishing the full exploit but you best believe someone’s looking in to how to get a hack working right now.