On Monday, chipmaker Qualcomm confirmed that hackers exploited a zero-day — meaning a security flaw that was unknown to the hardware maker when it was abused — in dozens of its chipsets found in popular Android devices.
The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats. Amnesty International’s Security Lab, which works to protect civil society from digital surveillance and spyware threats, confirmed Google’s assessment, Qualcomm said.
U.S. cybersecurity agency CISA included the Qualcomm flaw in its list of vulnerabilities that are known to be, or have been, exploited.
At this point, there aren’t many details about who was exploiting this vulnerability “in the wild” — meaning that whoever was using the zero-day was targeting individuals in real hacking campaigns. It also is not yet known which individuals were targeted, or why.
Qualcomm’s spokesperson Catherine Baker told TechCrunch that the company commends “the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices,” allowing the company to roll out fixes for the vulnerability.
The chipmaker referred to Amnesty and Google for more details about the threat activity.
Amnesty spokesperson Hajira Maryam told TechCrunch that the nonprofit will have research about this vulnerability “due to be out soon.”
Google spokesperson Kimberly Samra said TAG has nothing to add at the moment.
Qualcomm’s spokesperson said that “fixes have been made available to our customers as of September 2024.” It’s now up to Qualcomm’s customers — the Android device makers that use the vulnerable chipsets — to release the patch to their customers’ devices.
In its advisory, Qualcomm listed 64 different chipsets affected by this vulnerability, including the company’s flagship Snapdragon 8 (Gen 1) mobile platform, which is used in dozens of Android phones, including some made by Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE — meaning millions of users around the world are potentially vulnerable.
That being said, the fact that Google and Amnesty are investigating the use of this zero-day under “limited, targeted exploitation” suggests the hacking campaign was likely used against specific individuals, rather than a large number of targets.
Brian Heater contributed reporting.
UPDATE, October 9, 1:07 p.m. ET: This story was updated to include Amnesty’s comment.