Qualcomm modem flaw affects 30% of all phones; lets attackers record phone calls

XDA

By Pranob Mehrotra

Published May 7, 2021

Security researchers have discovered a new flaw in Qualcomm's Mobile Station Modem that affects around 30% of all Android phones.

Israeli security firm Check Point Research has discovered a flaw in Qualcomm's Mobile Station Modem that affects millions of Android phones worldwide. The firm claims that hackers can exploit the vulnerability and gain access to your text messages, phone calls and, in some cases, even unlock your SIM card.

Check Point's report reveals that the Mobile Station Modem is an integral part of Qualcomm's chips dating back to the early 1990s. It's still a part of some of the latest 5G-chipsets from the company, and it can be found on some of the latest models from Samsung, Google, Xiaomi, LG, OnePlus, and more. Therefore, the vulnerability affects a significant chunk of Android smartphones worldwide. Check Point estimates that up to 30% of all Android phones have the Qualcomm modem software that includes this vulnerability.

The report further reveals that hackers can exploit the vulnerability to "inject malicious code into the modem from Android. This gives the attacker access to the user's call history and SMS, as well as the ability to listen to the user's conversations." Attackers can also exploit this vulnerability to unlock the SIM card and overcome any limitations set in place by service providers.

Qualcomm is aware of the vulnerability, and the company has already issued a fix. In a statement to Tom's Guide, a Qualcomm representative said, "Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available." It's worth mentioning that the catalog number assigned to the vulnerability (CVE-2020-11292) is not included in any Android security bulletin published since December 2020. But Google may have included it in a previous security update without mentioning it in the bulletin. The company will publicly address it in the June 2021 security update, though, according to a Qualcomm spokesperson.

At the moment, it isn't clear if all affected devices have been patched or not. "From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat," a Check Point representative told Tom's Guide. If you're using a Qualcomm Snapdragon-powered device that has not received a security update since November 2020, your device is likely still vulnerable. In case you have, though, your OEM may have patched the vulnerability.

For more details about the vulnerability, head over to Check Point's report by following this link.