Vulnerability affects high-end Android phones from Google, Samsung, LG, Xiaomi, and OnePlus

The debate on whether Android is better than iOS or otherwise is not going to end anytime soon. And it looks like those advocating for iOS have got a new point to their debate. Security researchers have found a critical vulnerability in Qualcomm Snapdragon-powered smartphones that could allow any malicious app to patch the software and, consequently, gain access to the call and text history and record conversations. But Qualcomm has confirmed that it "made fixes available to OEMs" last year in December, and asked users to upgrade their phones.

According to researchers at Check Point Research, this vulnerability was alarming for nearly all Android phones, including the premium ones from Google, OnePlus, LG, Samsung, and Xiaomi, because Qualcomm's Snapdragon processors are the ones powering a big chunk of them. The researchers found the vulnerability in the Qualcomm Modem Interface (QMI) software, which is proprietary protocol devices use to communicate between software components of the modem and other peripheral systems, such as cameras, fingerprint sensor. It could allow hackers to patch the software dynamically and bypass the security on the module.

Although third-party software does not have access to QMI, it can gain special privileges in case the Android phone is compromised. And after a malicious patch is installed to the module, the hacker will gain access to the core properties of the modem and can use them to record conversations, snoop on calls and messages, and peep through the call and SMS history on the Android phone. The track records could contain important SMS, including those from your bank. Check Point researchers have pointed out that the vulnerability in the Qualcomm chipset was available in at least 40 per cent of Android phones, including those from premier brands.

The researchers jotted out the complex nature of the vulnerability and the ways to exploit it in the report but omitted more technical aspects because they feared misuse of the process. The researchers have not even said anything about whether this vulnerability is being exploited right now and if there are phones affected by it. But they have claimed Qualcomm was made aware of the vulnerability back in October with high importance. Now, Qualcomm has come forward to clear the air.

In a statement to Android Police, a Qualcomm spokesperson said, "Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end-users to update their devices as patches become available."

The vulnerability was specifically found in the Qualcomm Snapdragon 835 processor used inside the Google Pixel 2. And even though Google has not shared a statement on the matter, its alliance with Qualcomm to ramp up security on Android should be satisfactory. Google has been working towards making Android securer than ever with timely security patches and this initiative has the support of partnering OEMs, including Samsung, OnePlus, LG, and Xiaomi among others.