A serious security flaw affecting Qualcomm’s mobile station modems (MSM) was recently disclosed by security research team Check Point, who claims that the vulnerability could be exploited to inject malicious code into the phone by using the Android operating system itself as an entry point. The affected chip(s) are reportedly responsible for connecting nearly 40% of all smartphones in the world, including high-end phones from Samsung and other OEMs.

The research team found that if a researcher wants to explore the latest 5G code in devices powered by Qualcomm’s modems by implementing a debugger, ‘the easiest way to do that is to exploit MSM data services through QMI’ (Qualcomm MSM Interface). The investigation revealed a ‘vulnerability in modem data service that can be used to control the modem and dynamically patch it from the application processor.’

Numerous Samsung Galaxy devices remain vulnerable to this threat

The good news is that although the security flaw was publicly disclosed earlier today, it has already been addressed and patched by Qualcomm in December 2020. The issue was kept under wraps for obvious security reasons.

The not-so-good news is that numerous smartphones developed by Samsung (as well as other OEMs) are still vulnerable as of this writing. As always, if a part manufacturer such as Qualcomm releases a patch for its hardware, it’s up to smartphone OEMs to distribute the update as they see fit. And because we live in the world of Android OS where fragmentation is par for the course, some devices will be updated sooner than others, with availability differing by region.

Now, because Check Point has decided to make this issue public, this indicates that smartphone OEMs — including Samsung — should now be in the process of updating their devices to address the security flaw, however, it may take some time.

The May 2021 security patch is now rolling out for numerous Galaxy devices, but it might not contain the necessary fixes for this issue. The security patch does include a fix for devices powered by both Exynos and Qualcomm chipsets — one that was reported in December — but it doesn’t seem to match Check Point’s description. Qualcomm has classified the vulnerability as ‘CVE-2020-11292,’ and this classification was not mentioned in Samsung’s latest security bulletin.

Update: Samsung has since updated the May 2021 security bulletin and confirmed that the security flaw classified as “CVE-2020-11292” has been gradually patched since January.

Original story continues:

At the end of the day, what this means is that Samsung is, or should soon be in the process of releasing a new security patch that fixes Qualcomm’s security flaw. However, we’re not sure how many models are affected or if the May 2021 security patch addresses it in any capacity.

Either way, mobile device users should make sure that they’re always running the latest security updates. SamMobile readers can refer to our new online tool to check if their phone runs the latest security patch available in their region.