Advertisement

Android warns of Qualcomm exploit in latest security bulletin

The November security bulletin includes two CVE's reportedly exploited in the wild.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Screen of smartphone with icons. (Getty Images)

Android’s monthly security bulletin published Monday warns of two vulnerabilities with “limited, targeted exploitation” in the wild.

One vulnerability impacts Qualcomm chipsets via a use-after-free vulnerability in its FastRPC driver. Designated as CVE-2024-43047, the bug was reported to be under active exploitation in early October and is rated “high” severity with a CVSS score of 7.8.

A FastRPC driver is a piece of software in Qualcomm’s chip design that helps the main processor talk to the digital signal processor (DSP) using the FastRPC protocol. This driver handles data transfer and remote commands, letting apps use the DSP’s special processing power effectively for tasks like processing media, running machine learning, and other demanding applications.

Although victims have not yet been made public, Qualcomm cited researchers at Google’s Threat Analysis Group for the indications of exploitation which was later confirmed by Amnesty International’s Security Lab.

Advertisement

Qualcomm said in an emailed statement that the company commends “the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices.”

“Regarding their FastRPC driver research, fixes have been made available to our customers as of September 2024. We encourage end users to apply security updates as they become available from device makers,” Qualcomm said.

Neither Google nor the Security Lab at Amnesty International responded to requests for comment. The involvement of the human rights group could be an indication that either state-backed hacking or surveillance activity may be at the center of the narrow campaign.

Monday’s security bulletin also included another vulnerability — CVE-2024-43093 — which Google claims is also  under exploitation. However, the vulnerability is currently in the process of being formally reviewed and documented, so no further details have been released.

Kern Smith, vice president of global sales engineering at the mobile cybersecurity firm Zimperium, said attackers are increasingly targeting employee devices to access corporate data and exploit supply chains. 

Advertisement

“It’s really a matter of when their devices or apps will be exposed to some level of vulnerability,” Smithsaid. “Mobile devices face the same or similar challenges like any other end point, especially when they’re critical to our personal and also to our professional lives.”

Smith added  that targeting mobile hardware is an increasingly common attack method.
There were 44 CVEs fixed in total. You can see the full list on Android’s website.

Latest Podcasts