Qualcomm, a major chipmaker, revealed on Monday that hackers took advantage of a zero-day vulnerability in many of its chipsets used in popular Android devices. A zero-day vulnerability is a security flaw that was not known to the hardware maker when it was exploited. According to Qualcomm, there are “indications” from Google’s Threat Analysis Group (TAG) that the zero-day vulnerability “may be under limited, targeted exploitation.” TAG looks into government hacking threats and has played a key role in determining the extent of the vulnerability.
Qualcomm also noted that Amnesty International’s Security Lab, which works to safeguard civil society from digital surveillance and spyware threats, has verified Google’s assessment. The Qualcomm flaw has been added to the list of vulnerabilities known to be exploited in the wild by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). However, it is still unclear who was exploiting the vulnerability, which individuals were targeted, or what the motives were behind the hacking campaigns.
Catherine Baker, Qualcomm’s spokesperson, praised the researchers from Google Project Zero and Amnesty International Security Lab for their coordinated disclosure practices, which enabled the company to release fixes for the vulnerability. As of September 2024, Qualcomm has made fixes available to its customers.
Qualcomm chipsets face security exploit
Android device makers are now responsible for using these chipsets to distribute the patch to their customers’ devices. Qualcomm listed 64 different chipsets affected by this vulnerability in its advisory, including the company’s flagship Snapdragon 8 (Gen 1) mobile platform. This chipset is used in devices from manufacturers such as Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE, potentially leaving millions of users worldwide vulnerable.
The fact that Google and Amnesty are investigating the use of this zero-day vulnerability under “limited, targeted exploitation” indicates that the hacking campaign was probably aimed at specific individuals rather than a large number of targets. Hajira Maryam, Amnesty spokesperson, stated that further research on this vulnerability would be published soon. Meanwhile, Google spokesperson Kimberly Samra said that TAG had no additional comments.
