Zero-day gap in Qualcomm mobile processors already attacked in isolated cases
Several Snapdragon chips for Android devices have a security vulnerability classified as critical. It has already been exploited sporadically and deliberately.
Security vulnerabilities threaten Android smartphones.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Qualcomm has confirmed a zero-day vulnerability in a number of mobile processors and wireless technology chips that is already being exploited by malicious attackers. Details are scarce so far, but as many of the affected chips for Android smartphones and tablets have been on the market for several years, there may have been a number of attempted attacks. However, Qualcomm assumes that the attacks were limited and targeted.
The previously unknown zero-day vulnerability is listed as CVE-2024-43047 and could allow unauthorized access to the device's memory. Qualcomm has given the vulnerability a high security rating, with the US cyber security authority CISA classifying it as critical. According to Qualcomm, it was discovered at the end of July this year. The company informed its customers accordingly at the beginning of September and made a patch available, which the manufacturers of Android devices are expected to deploy.
Videos by heise
In addition to WLAN and Bluetooth chips, the Qualcomm platforms affected by the vulnerability include the Snapdragon 660, 680, 685, 865, 870, 888 and 888+ mobile processors, which are widely used in Android smartphones, as well as the Snapdragon 8 Gen 1 mobile platform. The Snapdragon 660 was introduced back in 2017 and was particularly popular with mid-range smartphones from Chinese manufacturers such as Xiaomi. The Snapdragon 888+ was Qualcomm's high-end chip of 2021, and the Snapdragon 8 Gen 1 was released the following year.
Discovered by Google and Amnesty International
The zero-day vulnerability was discovered by Google's security researchers from the Threat Analysis Group, which focuses on state-sponsored cyberattacks, and the Security Lab of the human rights organization Amnesty International, which aims to protect society from digital surveillance and spyware. Both organizations confirm that the vulnerability was attacked. While Google did not want to add anything to Qualcomm's statements according to Techcrunch, Amnesty International promises that a corresponding investigation report will be published shortly.
Qualcomm did not want to give any details about the attacks based on this security gap and refers to the Google security researchers and Amnesty International, meaning that further information is still pending. However, it is unlikely to be a widespread attack, as both organizations consider this zero-day vulnerability to be suitable for limited and targeted attacks. This means that only individuals are likely to have been attacked and not a large number of users.
(fds)
