It is understood that this vulnerability, numbered CVE-2018-11976, can steal confidential information stored in Qualcomm chips and affect Android devices that use related chips.
After discovering the vulnerability last year, Qualcomm notified its customers in October 2018 and provided security patches to its customers. At the same time, it was disclosed in April this year in consultation with NCC Group in accordance with industry practice.
It is reported that the vulnerability requires kernel permissions to launch an attack. That is to say, the vulnerability can be exploited on the premise that the terminal has been deeply intruded. If the user has updated the software patch provided by the manufacturer, it means that the software vulnerability has been fixed.
Qualcomm stressed that security patches were provided to terminal vendors at the end of last year, and no incidents of exploiting the vulnerability have been identified so far.
It is a common practice in the industry to work with industry security research organizations to identify software vulnerabilities and provide security patches in a timely manner. For the end user, the security of the terminal can be ensured by updating the terminal in time after the software patch is provided by the operator or the terminal manufacturer, and downloading the application only from the secure application store.