A heap overflow vulnerability in Qualcomm’s Snapdragon 855 system-on-chip modem firmware, used in Android devices, could be exploited by baddies to run arbitrary code on unsuspecting users’ devices, according to Check Point.

The software bug, tracked as CVE-2020-11292, can be abused to trigger a heap overflow in devices that use a Qualcomm Mobile Station Modem (MSM) chip, thanks to some in-depth jiggery-pokery in the Qualcomm MSM Interface (QMI) voice service API.

“If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations,” said some not-at-all-excitable researchers from Israeli security firm Check Point in a blog post today.

The vuln, with a CVSSv3 score of 7.8, was disclosed and patched in autumn last year, Qualcomm told The Register. Fixes were made available to handset makers from December onwards. The chipmaker added that so far it has seen no evidence that the vuln was abused in the wild.

Around 30 per cent of all mobile phones in the world ran Qualcomm chips by the end of 2020, according to research consultancy Counterpoint

QMI is a Qualcomm protocol that handles communications between a mobile handset’s modem and other peripheral subsystems that humans can jab, poke and wipe their dead fingerprints across. QMI exposes logical ports to the host device CPU through which software on it communicates with the device’s modem, and thence the outside world.

It’s a big target for malicious people: if you can compromise the modem firmware to give you an unencrypted feed of traffic going up and down the radio, you can (eventually) listen in on the device’s user. Previous research from 2019 achieved this goal against the Snapdragon 835, 845 and 855 chips by entering via Wi-Fi controller firmware, exploiting two CVE-rated vulns in doing so.

Check Point said its researchers had fuzzed a Snapdragon SM8150 (aka Snapdragon 855) SoC from a Google Pixel 4 Android handset. The heap overflow its researchers were able to induce is of interest because it offers a way into the device that could potentially be exploited by cybercriminals to compromise software or apps running on it: as the infosec company put it, once a crim has access to the MSM through QMI, they can patch it to force it to grant them access to modem traffic.

Malicious people, in Check Point’s words, could use this vulnerability “to inject malicious code into the modem from Android, giving them access to the device user’s call history and SMS, as well as the ability to listen to the device user’s conversations.”

A Qualcomm spokesman told The Register: “We commend the security researchers from Check Point for using industry-standard coordinated disclosure practices. Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available.”

Check Point said it hoped the research would “be a potential leap” allowing any old infosec bod to inspect Qualcomm MSM firmware, something that QMI has, so far, seemingly staved off. ®