Newly disclosed chip vulnerabilities that may affect a large number of Android devices can be abused by hackers to plant unremovable malware on users’ handsets and steal their data.

The flaws were discovered by publicly traded cybersecurity provider Check Point Software Technologies Ltd. The company plans to discuss the vulnerability series, which it has codenamed Achilles, today at the online Def Con security event.

Check Point researchers discovered the flaws in a chip from Qualcomm Inc., a major semiconductor supplier to the mobile industry. The cybersecurity provider is withholding key technical details such as the name of the affected chip model in the interest of protecting users. The reason is that, though Qualcomm has patched the vulnerabilities, device makers whose products use its silicon need time to roll out updates for all their customers.

It’s unclear how many devices could be affected. However, given that Qualcomm’s chips are used by nearly all major Android smartphone makers and many others, the number of affected handsets could be significant.

Check Point shared high-level information about the flaws in a Thursday blog post ahead of today’s Def Con presentation to help raise industry awareness. The company says Achilles was found in a Qualcomm digital signal processor, which is a type of auxiliary chip in handsets that is mainly responsible for processing audio, video and image data. DSPs are found in most modern handsets and come included with Qualcomm’s ubiquitous Snapdragon mobile processors. 

Check Point identifies more than 400 pieces of insecure code in the chip. It has organized them into six vulnerability entries in the CVE system, a U.S. government-funded database of software security flaws.

The company said the flaws could be abused by hackers to create malware programs that can “completely hide their activities and become un-removable.” Once they gain a foothold on a device, attackers gain the ability to steal data without requiring the user to take an action such as opening a link. Achilles can also be exploited to make the data permanently inaccessible according to Check Point. 

“We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer,” Check Point Researchers wrote in the blog post, adding that the full research details were revealed to them. 

Qualcomm said in a statement that it hasn’t seen any signs indicating hackers are using Achilles to launch attacks. “We have no evidence it is currently being exploited,” the company stated. “We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

The discovery of Achilles is particularly significant because it’s relatively rare for security experts to report security flaws in DSP chips publicly. That’s partly because manufacturers tend to keep their DSP chips’ technical details and code under wraps, which makes analysis difficult. “We hope this research will help build better and more secure environments for the DSP chip ecosystem, as well as provide the necessary knowledge and tools for the security community to perform regular security reviews for these chips,” Check Point’s researchers wrote.

Image: Qualcomm