Checkpoint discovers four flaws that criminals could exploit via malicious apps.
Hackers could have accessed everything from encrypted corporate email to online banking apps using vulnerabilities recently found to affect Qualcomm chips in up to 900m Android smartphones and tablets.
Checkpoint, an Israeli cyber security company that found four flaws in the chips, said cyber criminals could encourage users to download a malicious app and escalate its privileges so it can see everything on the device.
Michael Shaulov, head of products, mobile and cloud security at Checkpoint, said by accessing the memory of the phone, hackers could peer into encrypted apps to see WhatsApp messages or email or note down banking passwords as they are typed in.
“Everything is copied to the hackers,” he said, on the edge of the cyber security conference Def Con where Checkpoint presented its research on Sunday.
Qualcomm is the leading maker of chips for advanced smartphones, with 65 per cent of the global market for 4G/LTE in 2015, according to data from ABI Research. Checkpoint said devices using Qualcomm chipsets include the Google Nexus 5X, 6 and 6P, HTC One M9 and HTC 10 and the Samsung Galaxy S7 and S7 Edge.
Checkpoint informed both Qualcomm and Google, which develops the Android operating system, of the vulnerabilities.
Google said users of Android devices that have downloaded the most recent security updates are protected from three out of the four flaws. The fourth will be included in an upcoming update.
Until then, Google’s Android partners, manufacturers such as Samsung and HTC which make Android phones, can use Qualcomm’s patches to secure against the fourth vulnerability.
There is no evidence to date that cyber criminals have exploited the flaws.
Alex Gantman, vice-president of engineering for Qualcomm Product Security Initiative, said it had issued patches that fix the problems.
“I take pride in our collaborative relationship with security researchers and I am always appreciative of community’s efforts to help us harden our products,” he said.
Google also said it appreciated the researchers’ help in improving security of the mobile ecosystem, but said hackers would need to get a malicious app on to the phone in the first place.
“Exploitation of these issues depends on users also downloading and installing a malicious application,” Google said. “Our Verify apps and SafetyNet protections help identify, block, and remove applications that exploit vulnerabilities like these.”
Copyright The Financial Times Limited 2016. All rights reserved. You may share using our article tools. Please don’t cut articles from FT.com and redistribute by email or post to the web.