Android warns of Qualcomm exploit in latest security bulletin
Android’s monthly security bulletin published Monday warns of two vulnerabilities with “limited, targeted exploitation” in the wild.
One vulnerability impacts Qualcomm chipsets via a use-after-free vulnerability in its FastRPC driver. Designated as CVE-2024-43047, the bug was reported to be under active exploitation in early October and is rated “high” severity with a CVSS score of 7.8.
A FastRPC driver is a piece of software in Qualcomm’s chip design that helps the main processor talk to the digital signal processor (DSP) using the FastRPC protocol. This driver handles data transfer and remote commands, letting apps use the DSP’s special processing power effectively for tasks like processing media, running machine learning, and other demanding applications.
Although victims have not yet been made public, Qualcomm cited researchers at Google’s Threat Analysis Group for the indications of exploitation which was later confirmed by Amnesty International’s Security Lab.
Qualcomm said in an emailed statement that the company commends “the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices.”
“Regarding their FastRPC driver research, fixes have been made available to our customers as of September 2024. We encourage end users to apply security updates as they become available from device makers,” Qualcomm said.
Neither Google nor the Security Lab at Amnesty International responded to requests for comment. The involvement of the human rights group could be an indication that either state-backed hacking or surveillance activity may be at the center of the narrow campaign.
Monday’s security bulletin also included another vulnerability — CVE-2024-43093 — which Google claims is also under exploitation. However, the vulnerability is currently in the process of being formally reviewed and documented, so no further details have been released.
Kern Smith, vice president of global sales engineering at the mobile cybersecurity firm Zimperium, said attackers are increasingly targeting employee devices to access corporate data and exploit supply chains.
“It’s really a matter of when their devices or apps will be exposed to some level of vulnerability,” Smithsaid. “Mobile devices face the same or similar challenges like any other end point, especially when they’re critical to our personal and also to our professional lives.”
Smith added that targeting mobile hardware is an increasingly common attack method.
There were 44 CVEs fixed in total. You can see the full list on Android’s website.