Qualcomm Chip Bug Opens Android Fans to Eavesdropping

A malicious app can exploit the issue, which could affect up to 30 percent of Android phones.

A vulnerability in a 5G modem data service could allow mobile hackers to remotely target Android users by injecting malicious code into a phone’s modem – gaining the ability to execute code, access mobile users’ call histories and text messages, and eavesdrop on phone calls.

That’s according to Check Point Research, which said that the bug (CVE-2020-11292) exists in the Qualcomm Mobile Station Modem (MSM) Interface, which is known as QMI for short. MSMs are systems on chips (SoCs) designed by Qualcomm, and QMI is a proprietary protocol used to communicate between software components in the modem and other peripheral subsystems.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

The impact of the bug could be far-reaching: MSMs have been used since the pre-mobile internet 2G era of mobile devices, and QMI is used in roughly 30 percent of the globe’s handsets, according to Check Point, including Google Pixels, LG models, OnePlus devices, Samsung’s flagship Galaxy line and Xiaomi phones.

As for attack vector, essentially, attackers can exploit the bug to attack a mobile device remotely, via a malicious or trojanized Android application, a Check Point spokesperson told Threatpost.

“The vector involves a target installing a malicious application,” he said. “Assuming a malicious application is running on the phone, it can use this vulnerability to ‘hide’ itself within the modem chip, making it invisible in terms of all security measures on phones today.”

The spokesperson said that Check Point decided not to share all the technical details of the bug, lest it give hackers a roadmap on how orchestrate an exploitation. However, he noted that “basically, we tried ‘attacking’ the chip from within the phone itself, instead of from the carrier side. We went onto find some interesting vulnerabilities there that lead to remote code execution.”

He added, “furthermore, the vulnerability can allow ‘playing around’ with the modem itself. For example, [taking over a SIM card] and unlocking a phone that is fixed to be used by a certain carrier.”

A fix has been issued by Qualcomm, however the patches will be slow to roll out. As with all Android OEM issues, each handset vendor will need to apply the fix for its customers.

“Qualcomm says it has notified all Android vendors, and we spoke to a few of them ourselves,” the spokesperson told Threatpost. “We do not know who patched or not. From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat.”

CVE-2020-11292: A Few Technical Details

Check Point did provide a few technical details within its analysis of CVE-2020-11292. For instance, it’s a heap overflow vulnerability in the “qmi_voicei_srvcc_call_config_req handler (0x64)” which is involved in providing voice service.

“The qmi_voicei_srvcc_call_config_req function begins its execution by parsing [a type-length-value (TLV) format] payload,” according to Check Point researchers, in a blog posting on Thursday. “To process this packet, the handler allocates 0x5B90 bytes on the modem heap, extracts the number of calls from the payload into the allocated buffer at offset 0x10, and then loops to fetch all call contexts into the buffer starting at offset 0x12. Due to the lack of checking for the maximum number of calls, it is possible to pass the value 0xFF in the number of calls field and thus overwrite in the modem heap up to 0x12 + 0x160 * 0xFF – 0x5B90 = 0x10322 bytes.”

Researchers added that successful attackers would control with his values 0x106 out of 0x160 bytes per call entry.

“Note that such a heap overwrite vulnerability allows us to bypass the modem heap canaries, because we have the ability to jump over the obstructing bytes,” they said. “The TLV payload that overwrites the canary byte 0x5B91 to 0xFF and triggers the modem reboot.”

Qualcomm chips have had flaws before; for instance, six serious bugs in Qualcomm’s Snapdragon mobile chipset were revealed by Check Point at last year’s DEF CON. They impacted up to 40 percent of Android phones in use, and opened up handsets to denial-of-service and privilege-escalation attacks.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.  

Suggested articles