A vulnerability discovered by security firm Check Point Research (via AndroidPolice)
could allow a malicious app to skip the usual security features giving
it access to call and text history. It also gives an attacker the
ability to record conversations.
The Qualcomm
Modem Interface (QMI) software is normally impossible for third-party
apps to access, but if key aspects of Android are hacked, the QMI
vulnerability can be used to listen in and record an active phone call,
and as we already pointed out, steal call and SMS records.
QMI is used on as much as 40% of Android handsets including those
made by Google, Samsung, OnePlus, LG, Xiaomi, and more. Check Point kept
certain information out of its report to make sure that the attack can
not be easily copied. There is no indication that the attack has been
used by a malicious hacker.
Check Point
revealed all of this to Qualcomm last October calling it a high-rated
vulnerability. The chip maker told the phone manufacturers that use
Qualcomm's modem chips. So far, the vulnerability has not been fixed and
we can only hope that Qualcomm and Google will patch this in a future
security update.
However, Qualcomm says that it did made fixes available to "many"
Android phone manufacturers last December and that these firms passed
along security updates to end users. The vulnerability will be part of
the June Android bulletin.
Qualcomm issued a
statement today that said, "Providing technologies that support robust
security and privacy is a priority for Qualcomm. We commend the security
researchers from Check Point for using industry-standard coordinated
disclosure practices. Qualcomm Technologies has already made fixes
available to OEMs in December 2020, and we encourage end users to update
their devices as patches become available."
Source: phonearena.com
