1 Billion Android Phones At Risk due to CPU Flaw

Security researchers spotted a major flaw in a processor that's in more than a billion Android phones. It's been fixed now, but highlights the importance of a couple of key security measures users should take.

Researchers at Check Point say they spotted the errors on a processor from Qualcomm that's used on more than 40 percent of cellphones. The processor is known as a "system on a chip" (SoC) because it combines hardware and software in a single unit.

The processor controls some key functions on a phone including charging, video and audio. Because it's a system on a chip, it runs partially on its own set of code.

Check Point say they discovered 400 pieces of code which had some form of security flaw. They said these could produce three major negative effects if exploited in the right way. (Source: checkpoint.com)

Phones Could Be Rendered Useless

Firstly, the phone could effectively become a spy tool by allowing a hacker to access all manner of information from the phone including photos, microphone recordings and location.

Secondly, attackers could remotely tamper with data on the phone making the information unavailable and the device unresponsive and effectively useless.

Finally, the flaws could mean malware added to the device would not only be impossible to remove but could operate without being visible.

The researchers say they aren't publishing full details of the vulnerabilities or how they'd be exploited, though they did say it would simply involve persuading a victim to install an app. Currently there is no way to test for the vulnerability since details of the exploit is tight-lipped.

After receiving a vulnerability report from Check Point, Qualcomm fixed the code and sent a fix out to phone makers. It says it's seen no sign of the bugs being exploited at the moment. (Source: mirror.co.uk)

How To Stay Safer

Qualcomm gave two pieces of advice to users. One is to keep Android devices updated with all security fixes. That can be an awkward issue as security updates are commonly issued by manufacturers, which means they may not get to all devices at the same time.

The other is to only install apps from trusted sources, most notably the Google Play Store. It's not yet clear whether the type of malicious app needed to initially exploit these security flaws would have been able to pass Google's vetting process for the Play Store, nor whether it would have required unusual or suspicious permissions from the user.

What's Your Opinion?

Are you worried that devices are too complicated to keep secure? Do you actively keep your phone updated with security fixes? Does your devices manufacturer issue updates in a timely manner?