Another disclosure to a now patched zero-day vulnerability has been made by Google, affecting those Android devices that use Qualcomm chipsets, enabling adversaries to weaponise the device in launching targeted cyberattacks.
Being tracked as CVE-2020-11261 with a CVSS score of 8.4, this vulnerability concerns the “improper input validation” issue on Qualcomm Graphic chip components that hackers have exploited to trigger memory corruption attacker developed app requests access to a chunk of the mobile device’s memory.
Further analysis of the flaw indicates that it may be under limited, targeted exploitation, as Google stated.
Google’s Android Security team has discovered and reported to Qualcomm on July 20, 2020, and was fixed in January 2021.
Below is the list of the Qualcomm chipsets affected by this vulnerability:
It is important to note that the access vector of this vulnerability exploit is local. This means that exploitation requires local access to the mobile device. So for a threat actor to conduct a successful attack, they need physical to the smartphone or use other means to deliver the malicious scripts and codes and start off the attack chain such as watering hole attack or tricking a victim social engineering tactics.
While the disclosure is specific about the kind of attack exploit using this vulnerability, the identity of the threat actors or hackers and the targeted victims were not released. When it comes to Google disclosures, it is not unusual for them to withhold sharing those specific data on the report to prevent other hackers and hacking groups from taking advantage of the flaw.
For these reasons, we strongly advise mobile users to promptly install monthly security updates and patch releases once they are available to prevent mobile phones from being exploited. For consumers wary of their private details, you may turn off your auto assistant to prevent them from listening, not because you can’t trust the service, but hackers can get around it. Also, avoid saving financial details in your SMS, notes and call recordings. Phones today may be an all-in-one device but being more cautious on how we use it and what we store within these devices helps mitigate unforeseen risks.