When it comes to Android’s monthly security updates, some months can be more important than others. With the August 2019 Android security patch, Google and Qualcomm have fixed a set of “critical” vulnerabilities in their Snapdragon chips, dubbed “QualPwn,” that could allow hackers access to your phone’s underlying Linux kernel over the air.
Blade Team, a security research division within Tencent, disclosed a new chain of vulnerabilities within Qualcomm’s Snapdragon 835 and 845 chips. More precise details are going to be released later this week, but the gist is that a hacker on the same WiFi network can connect to debug settings of the Qualcomm modem chip. Through there, the hacker has direct access to your phone’s Linux kernel.
Tencent Blade states that they only directly tested on Google Pixel 2 and Pixel 3 devices, but given that the vulnerability is with their underlying Qualcomm Snapdragon 835 and 845 chips, more phones are sure to be affected. Thankfully, the team notes that this Snapdragon vulnerability has not been seen in use in the wild.
OEMs are fully aware of the particularly high risk involved with the QualPwn exploit and were given fixes by Qualcomm back in June. Google and Essential, as you would expect, have already released the August patch for their devices, but OnePlus also surprisingly rolled out the August patch in July.
Qualcomm gave a similar statement to ZDNet on the matter, noting that they’ve already done everything in their power to fix the Snapdragon vulnerability via the August patch and pass the fix along to the various OEMs.
Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.
If you’re interested in seeing a full demonstration of QualPwn in action, Tencent Blade will be presenting it at Black Hat USA 2019 on Thursday.
FTC: We use income earning auto affiliate links. More.