Serious Android flaw threatens hundreds of millions of users — what to do

News
By published

Modem flaw could be used to steal data, hide malware

Android 12 release date, beta and features
(Image credit: Photo Illustration by Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)

A deep-rooted flaw in Qualcomm chips threatens hundreds of millions of Android phones.

The news comes form Israeli security firm Check Point in a new report. The security firm says hackers could use the flaw to read your text messages, listen to your phone conversations and in some cases even unlock your SIM card. Qualcomm told Tom's Guide that it has released a fix for the flaw to handset makers, but it may still be some time before many handset makers push the fix out to most users' phones.

The vulnerability lies in the Mobile Station Modem (i.e., a cellular modem), which dates back to 1990 and is still present in the integrated chipsets of the latest 5G-enabled phones, Check Point says.

Check Point estimates that up to 30% of Android phones worldwide, including top models made by Samsung, Google, Xiaomi, LG and OnePlus, have the Qualcomm modem software that includes this vulnerability. Other top makers using Qualcomm chips include Asus, Sony and ZTE. 

Apple devices or Android phones that use chipsets by other manufacturers are not affected.

What can you do about this Qualcomm flaw?

There's not much you can do to fix this problem yourself other than to install system updates as they come. Check Point suggests that while you wait for a fix, you should follow the standard Android best practices: Avoid app stores other than Google Play, and run one of the best Android antivirus apps. 

"Qualcomm Technologies has already made fixes available to OEMs in December 2020, and we encourage end users to update their devices as patches become available," a Qualcomm representative told us.

The catalog number assigned to this flaw, CVE-2020-11292, is not mentioned in any recent Android security bulletin, including the May Android security bulletin released three days ago. It's possible Google has quietly patched it in secret, although there are plenty of other "closed-source components" in each month's updates.

A Qualcomm representative told Tom's Guide that the fix would be publicly included in the June Android security bulletin next month. 

The Qualcomm representative added that Check Point's attack scenario seems kind of pointless because it would involve breaching Android security first. That would already give the attacker the same kind of information about texts and calls that could be gleaned from breaking into the MSM modem afterward.

Because each handset maker crafts its own updates for each model, it's possible that manufacturers such as Samsung or Sony may have bundled the fix for CVE-2020-11292 into its own updates.

"We do not know who patched or not," a Check Point representative told Tom's Guide. "From our experience, the implementation of these fixes takes time, so many of the phones are likely still prone to the threat."

So if your Qualcomm-using phone has not had a system update since November 2020, it's a safe bet that your phone has not been patched against this flaw. If it has had an update since then, then it may have been patched.

Technical details still under wraps

On the upside, there have been no reports of bad guys exploiting this flaw in the wild. Check Point has left out several of the technical details of the vulnerability so that readers of its report won't be able to try it themselves.

Qualcomm's modems are pretty hard to successfully attack from the network side, Check Point said. So the Israeli company's researchers took the opposite approach and found they could hack into the modems from the Android operating system itself.

They were able to inject malicious code into the Qualcomm MSM Interface (QMI), which Check Point described as "a proprietary protocol that enables communication between the software components in the MSM and other peripheral subsystems on the device such as cameras and fingerprint scanners."

That injected code could let the attackers, or Android malware, read call logs and SMS text messages, and  eavesdrop on phone calls. Depending on the handset manufacturer, who can add additional capabilities to QMI, the flaw could also let attackers unlock the phone's SIM card.

Android malware could even use the modem as a place to "hide" from Android's security scanners or Android antivirus software, because one would have access to the modem's low-level processes.

Check Point notified Qualcomm of this flaw in October 2020, and told the chip maker that it would be making the flaw public in April 2021. It's not clear why Check Point waited until a few days into May.

See more Phones News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Latest in Android Phones
Samsung Galaxy S25 Edge next to Galaxy S25 Plus
Samsung Galaxy S25 Edge vs. Galaxy S25 Plus: Everything we know so far
Samsung Galaxy S25 Ultra vs S25 Plus vs S25
Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
vivo x200 ultra camera array
Vivo’s next premium phone could have a camera unlike anything we’ve seen before — here’s how
Google Pixel 9a with thumbs up and thumbs down icons
Google Pixel 9a — 5 reasons to buy and 3 reasons to skip
Pixel 9 Pro XL held in the hand with price drop badge.
Not a typo! This epic deal makes the flagship Pixel 9 Pro XL the same price as the budget Pixel 9a
Latest in News
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch F1 Chinese GP 1 2025 online without cable – Sprint race, Qualifying
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 22 (#650)
Nintendo Switch 2
Nintendo Switch 2 — 7 biggest questions that need answers at Nintendo Direct April 2
iPhone 17 Air render
iPhone 17 Air — new survey could be bad news for Apple's super thin iPhone
Segway g30lp
Segway recalls 220,000 electric scooters - what to do if yours is on the list
More about android phones
Samsung Galaxy S25 Edge next to Galaxy S25 Plus

Samsung Galaxy S25 Edge vs. Galaxy S25 Plus: Everything we know so far
Samsung Galaxy S25 Ultra vs S25 Plus vs S25

Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
Hacker using a stolen social security card

Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
See more latest
Most Popular
Netflix
3 Netflix movies I'm adding to my watchlist before they leave this month
Composite image featuring Colman Domingo in "Sing Sing", Cynthia Erivo in "Wicked" and Anthony Ramos and Glen Powell in a scene from "Twisters"
5 best new movies to stream this weekend on Netflix, Prime Video, Max and more
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #384 (Saturday, March 22 2025)
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 22 (#650)
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch F1 Chinese GP 1 2025 online without cable – Sprint race, Qualifying
Nintendo Switch 2
Nintendo Switch 2 — 7 biggest questions that need answers at Nintendo Direct April 2
iPhone 17 Air render
iPhone 17 Air — new survey could be bad news for Apple's super thin iPhone
Segway g30lp
Segway recalls 220,000 electric scooters - what to do if yours is on the list
The New York Mets’ Juan Soto prepares to throw a ball
MLB live stream 2025: How to watch Major League Baseball online from anywhere