Zero-day vulnerability in Qualcomm mobile processors has already been attacked in isolated cases

Qualcomm has confirmed a zero-day vulnerability in a range of mobile processors and wireless technology chips that is already being exploited by malicious attackers. There are hardly any details yet, but since many of the affected chips for Android smartphones and tablets have been on the market for several years, there could have been some attempts at attack. However, Qualcomm assumes limited and targeted attacks.

Advertisement

The previously unknown zero-day vulnerability is listed as CVE-2024-43047 and could allow unauthorized access to the device’s memory. Qualcomm gives the vulnerability a high security rating, and the US cybersecurity agency CISA classifies it as critical. According to Qualcomm, it was discovered at the end of July this year. The company informed its customers accordingly at the beginning of September and provided a patch that the manufacturers of Android devices should deploy.

In addition to WLAN and Bluetooth chips, the Qualcomm platforms affected by the security gap also include the Snapdragon 660, 680, 685, 865, 870, 888 and 888+ mobile processors widely used in Android smartphones, as well as the Snapdragon 8 Gen 1 mobile platform. The Snapdragon 660 was introduced in 2017 and was particularly popular with mid-range smartphones from Chinese manufacturers such as Xiaomi. The Snapdragon 888+ was Qualcomm’s high-end chip of 2021, and the Snapdragon 8 Gen 1 was released the following year.

Discovered by Google and Amnesty International

The zero-day gap was found by Google’s security researchers from the “Threat Analysis Group”, which focuses on state-sponsored cyber attacks, and the “Security Lab” from the human rights organization Amnesty International, which wants to protect society from digital surveillance and spyware. Both organizations confirm that the vulnerability has been attacked. While Google did not want to add anything to Qualcomm’s information, according to Techcrunch, Amnesty International promises that a corresponding investigation report will appear shortly.

Qualcomm did not want to provide details about the attacks based on this vulnerability and refers to Google security researchers and Amnesty International, so further information is still pending. However, widespread attacks are unlikely to occur, as both organizations consider this zero-day vulnerability to be suitable for limited and targeted attacks. This means that only individual people are likely to have been attacked and not a large number of users.

(fds)