Millions of Android Smartphones Vulnerable to Trio of Qualcomm Bugs

Flaws in Qualcomm chipset expose millions of Android devices to hacking threat.


Security researchers from Tencent’s Blade Team are warning Android smartphone and tablet users of flaws in Qualcomm chipsets, called QualPwn. The bugs collectively allow hackers to compromise Android devices remotely simply by sending malicious packets over-the-air – no user interaction required.

Three bugs make up QualPwn (CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538). The prerequisite for the attack is that both the attacker and targeted Android device must be active on the same shared Wi-Fi network.

“One of the vulnerabilities allows attackers to compromise the WLAN and modem, over-the-air. The other allows attackers to compromise the Android kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android kernel over-the-air in some circumstances,” wrote researchers.

All three vulnerabilities have been reported to Qualcomm and Google’s Android security team and patches are available for handsets. “We have not found this vulnerability to have a public full exploit code,” according to a brief public disclosure of the flaws by the Tencent Blade Team.

Researchers said their focus was on Google Pixel2 and Pixel3 handsets and that its tests indicated that unpatched phones running on Qualcomm Snapdragon 835 and Snapdragon 845 chips may be vulnerable.

A Qualcomm spokesperson told Threatpost in a statement: “Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.”

The first critical bug (CVE-2019-10539) is identified by researchers as a “buffer copy without checking size of input in WLAN.” Qualcomm describes it as a “possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length.”

The second bug (CVE-2019-10540) is classified as critical and a “classic buffer overflow” where the buffer copies without checking size of input WLAN. Qualcomm describes it as a “buffer overflow in WLAN NAN function due to lack of check of count value received in NAN availability attribute.”

Qualcomm, in its advisory, indicated that the CVE-2019-10540 bug may have a wider impact and said chipsets effected include: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.

The third bug (CVE-2019-10538) is not listed on Qualcomm’s August security bulletin, but is rated high in severity by Google’s August Android Security Bulletin. Tencent only describes the CVE as a “modem into Linux Kernel issue.”

The QualPwn vulnerabilities will be discussed by Tencent’s Blade Team researchers at BlackHat USA 2019 and DEFCON 27 later this week, according to researchers. Researchers declined to share vulnerability specifics until, as they put it: “we’re informed that the flaws are fixed and consumers have time to install security updates on their devices.”

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

(This article was updated at 1:30 pm EDT with Qualcomm’s statement) 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.