I tend to be a bit of a dog on a bone when it comes to patching your phone. Apple helps its phone owners and usually shoves patches down your throat, whether you want them or not – as long as the phone is still supported.
But when it comes to Android phones, it is an entirely different game unless you own a Google branded Pixel, Pixel 2 or Pixel 3 phone. For those phones, Google releases and installs patches like Apple does.
For every other Android phone, Google publishes the open source code to a public repository every month. Then the phone’s manufacturer had to download it and integrate any changes that it made. Up until recently, this was a completely optional decision on the part of the phone manufacturer. Once this is done and tested, the manufacturer, say LG Electronics, has to make the code available to each of the mobile carriers around the world. The mobile carrier then needs to integrate its changes into the code and test it. Again, completely voluntary. There will be a new option for brand new phones released with Android 10 this fall, but nothing now.
One more thing. Most manufacturers only patch a phone for a year or two AFTER THE INITIAL RELEASE – not after the date that you bought it. So, if a phone was released in January 2017 and you bought it in March 2018, it likely will only be patched for the first 9 months that you own it, at best. This means that for most of the time that you are using the phone, it will be vulnerable to be hacked. If you keep the phone for say 3 years – many people keep Android phones longer – than for about 2 and a half of those years, it will be open to attack.
This is why understanding this and being vigilant about patching is so important. And why many Android phones are already compromised.
So why today?
Security firm Tencent announced two critical bugs in the Qualcomm chipsets and one in the driver that would allow a hacker to take over an affected phone WITH NO USER ACTION REQUIRED.
Check out the link below for the details and CVE numbers.
Once compromised, the attack gives hackers full system access, including the ability to install rootkits (which are not detectable) and steal any information on the phone, most likely without being detected.
Some of the Qualcomm chipsets affected are:
“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”
Point is – a lot of them, affecting a lot of phones – most of which will never be patched.
While the researchers have not released all of the details on how to do the hack, all that is required is that you have WiFi enabled and be within WiFi range of the attacker such as being out in public in a store, coffee shop, airport, hotel or meeting area, just to name a couple of options.
If you use an Android phone, check to see if it is receiving patches. if you store anything sensitive on the phone, disable WiFi if you can.
IF YOUR PHONE IS NO LONGER RECEIVING PATCHES, THERE IS NOTHING THAT YOU CAN DO OTHER THAN NOT USING WIFI OR BUYING A NEW PHONE.
It will not be long before attackers figure out the details and start using this in the wild.
Source: The Hacker News.