The Android Open Source Project (AOSP) website has published its Security Bulletin for August 2019, in which details of two high-severity issues affecting Android devices powered by Qualcomm processors are described. The two security flaws, together known as 'QualPwn', have been patched in the August 2019 over-the-air Android security update. At least one of the two issues affects Qualcomm's Wi-Fi and cellular hardware in a number of popular current and retired smartphone SoC models including the Snapdragon 855, 845, 835, 820, 730, 712, 710, 675, 670, 665, and 636. The Snapdragon 850 and 8CX which are designed for laptops, and several other special-purpose processors aimed at the automotive, IoT, and smart speaker segments, are also affected.
The issues have been publicised by Tencent Blade, the security arm of Chinese gaming company Tencent. As reported by ZDNet, these flaws can be exploited over the air and do not require hands-on access to a target device, but they do need proximity since an attacker would need to be using the same Wi-Fi network.
By sending a maliciously modified data packet to the target device, over either a Wi-Fi or cellular connection, the attacker could use these two flaws to create a chain of events that can compromise the device's Android kernel. No action would be required on the part of the device user. On its own, the first flaw could still allow an attacker to spy on a device's communications.
Qualcomm says it has already released a patch to its partners which they can distribute in future software updates, though many of these manufacturers do not release regular software updates for their phones, especially older models. The August 2019 Android security patch also includes a fix.
Tencent Blade says it has verified the flaw using a Google Pixel 3 (Review) and a Google Pixel 2 (Review), which use the Snapdragon 845 and Snapdragon 835 processors respectively, but has not tried other devices. The company's researchers will present more information beginning this week at the Black Hat and Defcon security conferences. No evidence of these flaws actually being exploited in the wild has been presented.
The flaws were first uncovered in February, after Tencent Blade informed Google, which then roped Qualcomm in. Qualcomm issued its patch to OEMs in early June. Tencent Blade is only now disclosing this information because enough time has passed for the update to make its way into the August 2019 Android patch.