Last 7 October, chipmaker Qualcomm has validated the suspicion of many that hackers exploited a zero-day — meaning a security flaw that was unknown to the hardware maker when it was abused — in dozens of its chipsets found in popular Android devices.
The zero-day vulnerability, officially designated CVE-2024-43047, "may be under limited, targeted exploitation," according to report, citing unspecified "indications" from Google's Threat Analysis Group, the company's research unit that investigates government hacking threats. Amnesty International's Security Lab, which works to protect civil society from digital surveillance and spyware threats, confirmed Google's assessment, Qualcomm said.
U.S. cybersecurity agency CISA included the Qualcomm flaw in its list of vulnerabilities that are known to be, or have been, exploited.
At this point, there aren’t many details about who was exploiting this vulnerability "in the wild" — meaning that whoever was using the zero-day was targeting individuals in real hacking campaigns. It also is not yet known which individuals were targeted, or why.
Qualcomm’s spokesperson Catherine Baker told TechCrunch that the company commends "the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices," allowing the company to roll out fixes for the vulnerability.
Qualcomm's spokesperson said that "fixes have been made available to our customers as of September 2024." It’s now up to Qualcomm's customers — the Android device makers that use the vulnerable chipsets — to release the patch to their customers' devices.
In its advisory, Qualcomm listed 64 different chipsets affected by this vulnerability, including the company’s flagship Snapdragon 8 (Gen 1) mobile platform, which is used in dozens of Android phones, including some made by Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE — meaning millions of users around the world are potentially vulnerable.
Posts
0 comments
Post a Comment