Qualcomm vulnerability affects nearly one-third of all phones

Samsung, LG, Google and Xiaomi are among the major manufacturers using Qualcomm's chips

Nearly a third of all smartphones in the world are affected by a security bug in Qualcomm chips, which attackers could use to compromise devices and listen to users' phone conversations.

Researchers at Israeli cybersecurity firm Check Point discovered the bug and disclosed the details in a report published on Thursday.

The team identified a flaw in Qualcomm's mobile station modem (MSM) interface, which enables the chip to communicate with the device's operating system.

The vulnerability "can be used to control the modem and dynamically patch it from the application processor," the researchers said.

Qualcomm chips with MSM interface have been used in mobile phones since the 1990s. The company has continuously updated its MSM tech over the years to support the transitions between cellular generations: from 2G to 3G, 4G, and now 5G. Xiaomi, Samsung, LG and Google are some of the brands using the MSM chips in their smartphones.

Check Point says this specific vulnerability could enable attackers to inject malicious code into the MSM and gain access to a device's SMS messages and call history. An attack could also use it to eavesdrop on phone conversations and potentially unlock the SIM to recover even more information from the device.

Check Point notified Qualcomm of the bug in October 2020, which labelled it a 'high-rated vulnerability'.

The bug was indexed as CVE-2020-11292, and Qualcomm patched it in December 2020. The Check Point researchers say 'some' smartphone makers have applied the patch in their OS and started rolling out necessary updates to end users - but not all.

Check Point advised users to update their devices to the newest OS versions to protect themselves against malware, although there is no report of the vulnerability being exploited in the wild.

Last year, Check Point researchers claimed that they had uncovered more than 400 flaws in Qualcomm's Snapdragon digital signal processor (DSP) chips, which hackers could use to steal sensitive data from Android devices.