Qualcomm, Google push fix for ‘QualPwn’ flaw in August security patch

The QualPwn flaw could allow over-the-air access to a phone's kernel

Qualcomm logo

Some of the monthly Android security patches are more important than others, and the recent August patch is essential.

Qualcomm and Google included a fix in the patch for a critical flaw in Snapdragon chips dubbed ‘QualPwn’ that could give attackers direct, over-the-air access to a phone’s underlying Linux kernel.

For the unfamiliar, the Linux kernel forms the core of the OS and handles requests to and from the hardware, memory and process management. Essentially, the kernel is responsible for running Android at the lowest level.

Needless to say, an attacker gaining access to the kernel is bad news.

Thankfully, Blade Team, a security research division within Chinese investment holdings company Tencent, discovered and disclosed the vulnerabilities. Blade specifically tested the Snapdragon 835 and 845 chips and discovered an attacker on the same Wi-Fi network as your device could connect to certain debug settings within the Qualcomm modem. From those settings, the attacker can gain access to the kernel.

Blade tested the function on the Google Pixel 2 and Pixel 3, but since the flaw affects the chip itself, the vulnerability is likely present on far more devices. However, Blade says it hasn’t seen the use of the vulnerability in the wild.

Qualcomm notified manufacturers of the QualPwn exploit and rolled out fixes back in June. Google and Essential included them in the August security update. OnePlus did as well but managed to roll out the August patch in July.

Source: Tencent Blade

Via: 9to5Google