Thousands of devices, especially those with Android technology and Qualcomm microprocessors, could be exposed to potentially serious vulnerabilities and data theft.

The cybersecurity company Check Point has discovered a critical vulnerability in Qualcomm processors, which affects almost half of the world’s smartphones and can cause data leakage or information and payment credentials theft.

The company has warned that the vulnerability is present in TrustZone, a security extension used in ARM Corex-A chips, used in a large number of its mobile processors.

Also known as Qualcomm’s Secure World, QSEE is a secure area isolated by hardware in the main processor, which aims to protect confidential information and provides a separate secure environment (REE) to run trusted applications. Among the confidential information, QSEE usually contains private encryption keys, passwords, and credit and debit card credentials.

TrustZone creates an isolated and secure virtual environment that the operative system itself uses to provide confidentiality and integrity to the device. This environment is known as the Trusted Execution Environment (TEE), but a vulnerability in this code is critical because it is responsible for providing security to the data stored on the device, and also has many execution permissions.

If the integrity of the TEE is compromised, data leaks, bootloader unlock or undetectable APT execution can occur. An attacker could compromise the security of the terminal remotely and perform various malicious activities.

The company has used a technique called fuzzing, which consists of a software test that involves providing invalid or random data to the inputs of a program in order to monitor falls or find memory leaks.

Through this technique, the company has discovered several vulnerabilities that affect Samsung, Motorola or LG smartphones. All these devices have in common that they use a Qualcomm code. In summary, according to investigators, vulnerabilities reported in Qualcomm’s secure components could allow an attacker to do the following things:

• Run reliable applications in the Safe World (Android).
• Load trusted patched applications into Secure World (QSEE).
• Do not go through Qualcomm’s trust chain.
• Adapt the trusted application to run it on a third-party device.

Safe World or Qualcomm Secure World creates a secure environment that the operative system itself uses to provide the device confidentiality and integrity. If a vulnerability affects this extension, it may cause device failures such as data leakage, bootloader unlock or information theft. All these attacks are done remotely.

“An interesting fact is that we can also load trustlets from another device. All we have to do is replace the hash table, signature and certificate chain in the trustlet .mdt file with those extracted from the device manufacturer’s trustlet”, the researchers added.

Luckily, and also given the enormous severity, Qualcomm, Samsung and LG have already released security patches to solve this vulnerability. Also, they recommend users to upgrade to the latest available operative system. Check Point recommends paying attention to bank account movements and downloading a security tool that examines the system status routinely.

Eusebio Nieva, Check Point’s technical director in Spain and Portugal, said that “it is essential to keep in mind that, although phones are one of the most used devices in our day to day, there is a general tendency not to use protective measures so through these vulnerabilities cybercriminals find a way to access a large amount of information”.

Qualcomm sent TN Tecno the following statement:

“Providing technologies that provide robust security and privacy is a priority for Qualcomm. The vulnerabilities advertised by Check Point have been patched, one in early October 2019 and the other in November 2014. We have not seen reports of active exploitation, although we encourage end-users to update their devices with patches available from manufacturers of original equipment“.