Google has disclosed that a vulnerability affecting Android devices that use Qualcomm chipsets. The devices are being weaponized by adversaries to launch targeted attacks.
The flaw tracked as CVE-2020-11261 with CVSS score 8.4 concerns an “improper input validation” in Qualcomm’s Graphics component. Attackers can exploit the bug to trigger memory corruption – a situation when an attacker’s app requests access to a big chunk of the device’s memory.
Researchers detected cases in which this flaw has been exploited by bad actors. Although, no further details about the attacks, the identity of the attacker, and the targeted victims have been released by the company.
“There are indications that CVE-2020-11261 may be under limited, targeted exploitation,” the search giant wrote in a January security bulletin published on March 18.
The CVE-2020-11261 flaw was discovered and discretely reported to Qualcomm by Google’s Android Security team on July 20, 2020, after which Qualcomm patched it in its January 2021 update.
Google researchers noted that the access vector for the vulnerability is “local” – an attacker would need to gain local access to the device to launch a successful attack. The attacker must have physical access to the victim’s smartphone or use other means like a watering hole attack to infect the device with malicious code.
It is possible that Google chose to withhold for now sharing further information about the attack and the attackers in order to prevent other bad actors from taking advantage of the bug.
The users of Android devices that use Qualcomm chipsets are urged to promptly install monthly security updates as soon as they are released by Google to protect their devices.
Google notes that its security patch levels of 2021-01-05 or later addressed the issues described in the March 18 bulletin.