UPDATED 13:07 EST / AUGUST 07 2020

SECURITY

‘Achilles’ chip flaws in Android devices let hackers plant unremovable malware

Newly disclosed chip vulnerabilities that may affect a large number of Android devices can be abused by hackers to plant unremovable malware on users’ handsets and steal their data.

The flaws were discovered by publicly traded cybersecurity provider Check Point Software Technologies Ltd. The company plans to discuss the vulnerability series, which it has codenamed Achilles, today at the online Def Con security event.

Check Point researchers discovered the flaws in a chip from Qualcomm Inc., a major semiconductor supplier to the mobile industry. The cybersecurity provider is withholding key technical details such as the name of the affected chip model in the interest of protecting users. The reason is that, though Qualcomm has patched the vulnerabilities, device makers whose products use its silicon need time to roll out updates for all their customers.

It’s unclear how many devices could be affected. However, given that Qualcomm’s chips are used by nearly all major Android smartphone makers and many others, the number of affected handsets could be significant.

Check Point shared high-level information about the flaws in a Thursday blog post ahead of today’s Def Con presentation to help raise industry awareness. The company says Achilles was found in a Qualcomm digital signal processor, which is a type of auxiliary chip in handsets that is mainly responsible for processing audio, video and image data. DSPs are found in most modern handsets and come included with Qualcomm’s ubiquitous Snapdragon mobile processors. 

Check Point identifies more than 400 pieces of insecure code in the chip. It has organized them into six vulnerability entries in the CVE system, a U.S. government-funded database of software security flaws.

The company said the flaws could be abused by hackers to create malware programs that can “completely hide their activities and become un-removable.” Once they gain a foothold on a device, attackers gain the ability to steal data without requiring the user to take an action such as opening a link. Achilles can also be exploited to make the data permanently inaccessible according to Check Point. 

“We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer,” Check Point Researchers wrote in the blog post, adding that the full research details were revealed to them. 

Qualcomm said in a statement that it hasn’t seen any signs indicating hackers are using Achilles to launch attacks. “We have no evidence it is currently being exploited,” the company stated. “We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

The discovery of Achilles is particularly significant because it’s relatively rare for security experts to report security flaws in DSP chips publicly. That’s partly because manufacturers tend to keep their DSP chips’ technical details and code under wraps, which makes analysis difficult. “We hope this research will help build better and more secure environments for the DSP chip ecosystem, as well as provide the necessary knowledge and tools for the security community to perform regular security reviews for these chips,” Check Point’s researchers wrote.

Image: Qualcomm

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.