Qualcomm’s Snapdragon SoC have the reputation of world’s best silicon for mobile devices, and most benchmarks actually prove that, though one can argue about everyday performance and how noticeable the difference is compared to rival chips. Anyways, security research company Check Point discovered a vulnerability in Snapdragon’s DSP that exposed Android devices using the Snapdragon chipset to potential spying, data theft or bricking.
A Digital Signal Processor has the role of applying algorithms/mathematical operations on digitized real-world signals like audio, photo and video. Check Point discovered 400 vulnerabilities in the DSP, that according to Forbes’ report, affects 40% of world smartphones.
To use these vulnerabilities, the attacker would have to persuade the user to install a malicious application that doesn’t require any permission to be able to utilize the vulnerability for spying and bricking the device. The issues were confirmed by Qualcomm and classified as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
Qualcomm also notified all partners and patched the vulnerabilities, but it is not known when the fix will be distributed for Android smartphones. The issue with a security threat in Android ecosystem is the fragmentation and bad software support from vendors for midrange and low end phones. Nokia Mobile is a great example how a company should operate in delivering regular security patches and frankly most top Android brands improved as well during the last years, but I didn’t see any brand committed to the whole portfolio in terms of security update as the Finns, so Nokia users probably shouldn’t worry about this that much.