Qualcomm revealed that hackers already used a critical zero-day vulnerability that had been attacked on millions of Android devices worldwide.
The vulnerability, CVE-2024-43047, was not in the knowledge of the chipmaker at the time it was first abused, marking an increasingly higher threat level in smartphone security.
Qualcomm Zero-Day Vulnerability Exposed
Qualcomm announced Monday, Oct. 7 that hackers exploited a zero-day vulnerability in its chipsets in dozens of chipsets used in top Android devices. GSM Arena reports that a zero-day flaw refers to an unknown security issue at the time of the attack when the maker is not aware of it—hardware or software. This vulnerability poses a significant danger and risk to millions of Android devices across the globe.
Google's TAG, together with the Security Lab of Amnesty International, verified that the flaw might have been experiencing "limited, targeted exploitation." According to Qualcomm, TAG "indicates" it implies certain persons instead of groups of users targeted in the campaign. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the flaw in its known exploited vulnerabilities.
Read More: Google Pay Users Panic as Expired Cards Mysteriously Reappear in Wallets—Here's What Really Happened
Who is Affected by CVE-2024-43047?
As per TechCrunch, Qualcomm's Snapdragon 8 Gen 1 chipset and 63 others feature this security flaw that is currently spread in a variety of different Android handsets featuring giant companies like Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE.
Millions of users of Android are hence at risk of exploitation due to the usage of the chipset on their devices.
Although the campaign is still vague about the identity of those targeted, its nature appears to be a targeted attack and does not include everybody in large groups but rather specifically targets one person against another.
Qualcomm has informed the gadget manufacturers affected to implement a patch so that the users are not exposed to the breach.
Qualcomm's Action and Roll-Out of Patches
Qualcomm, upon being notified of the discovery, swiftly issued patches for this flaw in September 2024. The company thanked researchers at Google Project Zero and Amnesty International for responsible disclosure and for being able to address the flaw even before it was open for miscreants to exploit it further.
Nonetheless, the responsibility now lies with the device manufacturer to ensure that these patches actually land in the hands of the consumers. This gap between its release and rollover to the public puts millions of devices at risk of exploitation before this update can reach the end user.
Amnesty and Google Investigations
Amnesty International and Google are further researching the extent of the zero-day exploitation. Few details are available about the threat actor or the targeted individuals, but Amnesty spokesperson Hajira Maryam added that more research about the attack is expected shortly.
So far, Google has not given any further details but is closely working with Qualcomm and Amnesty regarding the matter.
Related Article: Apple Alerts Users: Zero-Day Vulnerability Under Active Exploitation
© Copyright 2024 Mobile & Apps, All rights reserved. Do not reproduce without permission.
