A deep-seated flaw in Qualcomm's chips threatens hundreds of millions of Android phones.

The news comes from a new report by Israeli security firm Check Point. According to the security firm, hackers can use the flaw to read text messages, listen in on phone conversations, and in some cases unlock SIM cards. Qualcomm told Tom's Guide that it has released a fix for the flaw to handset makers, but that it will be some time before many handset makers distribute the fix to most users' phones. [Check Point said the vulnerability exists in Mobile Station Modem (i.e., cellular modem), which dates back to 1990 and is still present in the integrated chipsets of modern 5G-enabled phones.

Check Point estimates that up to 30% of Android phones worldwide, including top models from Samsung, Google, Xiaomi, LG, and OnePlus, have Qualcomm modem software containing this vulnerability. Other top manufacturers using Qualcomm chips include Asus, Sony, and ZTE.

Apple devices and Android phones using chipsets from other manufacturers are not affected.

There is not much you can do yourself to fix this problem other than install system updates as they become available. Check Point recommends following standard Android best practices while waiting for a fix: avoid app stores other than Google Play and choose the best antivirus app for Android.

"Qualcomm Technologies has already provided a fix for OEMs in December 2020, and we encourage end users to update their devices as soon as the patch is available," a Qualcomm representative said.

The catalog number assigned to the flaw, CVE-2020-11292, is not listed in recent Android security bulletins, including the May Android security bulletin released three days ago. There are many other "closed source components" in the monthly updates, but it is possible that Google has been secretly patching them.

A Qualcomm representative told Tom's Guide that the fix will be publicly included in next month's June Android security information.

The Qualcomm representative added that the Check Point attack scenario does not seem to make much sense because it would first breach Android security. This is because the Android security would have to be breached first. Doing so would give the attacker the same kind of information about texts and calls that could be obtained by breaking into an MSM modem.

Since each phone manufacturer creates its own updates for each model, manufacturers such as Samsung and Sony may have bundled the CVE-2020-11292 fix into their own updates.

"We don't know who patched it or not," a Check Point representative told Tom's Guide.

"Our experience has been that it takes time to implement these fixes, so it is possible that many phones are still exposed to this threat."

Therefore, if a phone using Qualcomm has not received a system update since November 2020, it is likely that the phone has not been patched for this flaw. If there has been an update since then, the patch may have been applied.

On a positive note, there have been no reports yet of bad guys exploiting this flaw. Check Point omitted some of the technical details of the vulnerability so that readers of the report would not be able to try this vulnerability themselves. [According to Check Point, it is quite difficult to attack Qualcomm's modems from the network side. So the Israeli company's researchers took the opposite approach and discovered that they could penetrate the modem from the Android operating system itself. [QMI is "a proprietary protocol that allows communication between software components in the MSM and other peripheral subsystems on the device, such as cameras and fingerprint scanners," Check Point explains.

The injected code could allow attackers or Android malware to read call logs and SMS text messages or eavesdrop on calls. Depending on the handset manufacturer that can add functionality to QMI, this flaw could allow an attacker to unlock the phone's SIM card.

Android malware can even use the modem as a place to "hide" from Android security scanners and Android anti-virus software because it can access low-level processes in the modem. [Check Point notified Qualcomm of this flaw in October 2020 and told Qualcomm it would disclose this flaw in April 2021. It is unclear why Check Point waited until a few days into May to do so.