On Monday, chipmaker Qualcomm confirmed that hackers exploited a zero-day — meaning a security flaw unknown to the hardware maker when it was abused — in dozens of its chipsets found in popular Android devices.
Exploitation of the zero-day vulnerability, with an official CVE-2024-43047 name assigned, is likely limited and targeted, Qualcomm said, quoting unspecified "indications" from Google's Threat Analysis Group, the company's research unit that tracks government hacking threats. Amnesty International's Security Lab, working to protect civil society from digital surveillance and spyware threats, confirmed the risk of exploitation as assessed by Google, Qualcomm added.
CISA, the U.S. cybersecurity agency, added Qualcomm's flaw to its list of known, or known to have been, exploited vulnerabilities.
Not much more is known at this point about who was using this vulnerability "in the wild" — meaning that whoever was using the zero-day was targeting real hacking campaigns targeted toward individuals. Neither is known how such individuals were targeted, or why.
The spokesperson for the firm, Catherine Baker, told TechCrunch that the firm welcomes "the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices," allowing the company to roll out fixes for the vulnerability.
The chipmaker referred to Amnesty and Google for more information on the threat activity.
Amnesty spokesman Hajira Maryam told TechCrunch the nonprofit will have research about this vulnerability "due out soon."
Google spokesperson Kimberly Samra said TAG has nothing to add at this time.
According to its spokesperson, "fixes have been made available to our customers as of September 2024." Now, it is up to Qualcomm's customers, the companies that manufacture Android gadgets which use vulnerable chipsets, to release the patch for such devices into their customers' hands.
In its advisory, Qualcomm listed 64 different chipsets that were vulnerable to this flaw, including the company's flagship Snapdragon 8 (Gen 1) mobile platform, used in dozens of Android phones, including some made by Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE - meaning millions of users around the globe.
However, given Google and Amnesty that have just recently investigated the use of this zero-day for limited, focused exploitation, the hacking campaign was likely deployed on a much smaller scale, in thousands rather than tens of thousands.