New Flaws in Qualcomm Chips Expose Millions of Android Devices to Hacking

A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction.

Discovered by security researchers from Tencent’s Blade team, the vulnerabilities, collectively known as QualPwn, reside in the WLAN and modem firmware of Qualcomm chipsets that powers hundreds of millions of Android smartphones and tablets.

According to researchers, there are primarily two critical vulnerabilities in Qualcomm chipsets and one in the Qualcomm’s Linux kernel driver for Android which if chained together could allow attackers to take complete control over targeted Android devices within their Wi-Fi range.

> “One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances,” researchers said in a blog post.

The vulnerabilities in question are:

• CVE-2019-10539 (Compromising WLAN) — The first flaw is a buffer overflow issue that resides in the Qualcomm WLAN firmware due to lack of length check when parsing the extended cap IE header length.

• CVE-2019-10540(WLAN into Modem issue) — The second issue is also a buffer-overflow flaw that also resides in the Qualcomm WLAN firmware and affects its neighborhood area network (NAN) function due to lack of check of count value received in NAN availability attribute.

• CVE-2019-10538 (Modem into Linux Kernel issue) — The third issue lies in Qualcomm’s Linux kernel driver for Android that can be exploited by subsequently sending malicious inputs from the Wi-Fi chipset to overwrite parts of Linux kernel running the device’s main Android operating system.

Once compromised, the kernel gives attackers full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection.

Though Tencent researchers tested their QualPwn attacks against Google Pixel 2 and Pixel 3 devices that are running on Qualcomm Snapdragon 835 and Snapdragon 845 chips, the vulnerabilities impact many other chipsets, according to an advisory published by Qualcomm.

> “IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Researchers discovered the QualPwn vulnerabilities in February and March this year and responsibly reported them to Qualcomm, who then released patches in June and notified OEMs, including Google and Samsung.

Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available

Since Android phones are infamously slow to get patch updates, researchers have decided not to disclose complete technical details or any PoC exploit for these vulnerabilities anytime soon, giving end-users enough time to receive updates from their device manufacturers.