Researchers from Check Point, a cybersecurity firm, found the digital signal processor (DSP) in Qualcomm Snapdragon chips had over 400 pieces of vulnerable code. The vulnerabilities, altogether dubbed "Achilles", can impact phones in three major ways.
Attackers would only have to convince someone to install a benign app that bypasses usual security measures. Once that's done, an attacker could turn the affected phone into a spying tool.
They'd be able to access a phone's photos, videos, GPS, and location data. Hackers could potentially also record calls and turn on the phone's microphones without the owner ever knowing.
Alternatively, an attacker could choose to render the smartphone completely unusable by locking all the data stored on it in what researchers described as a "targeted denial-of-service attack." Lastly, bad actors could also exploit the vulnerabilities to hide malware in a way that would be unknown to the victim, and unremovable.
Part of why so many vulnerabilities were found is that the DSP is a sort of "black box". It's difficult for anyone other than the manufacturer of the DSP to review what makes them work.
The article notes that Qualcomm has no evidence of the vulnerability being exploited in the wild, adding that the company has "reportedly since fixed the issue".
But they also note that it's still up to individual phone makers to push out the relavant security paches, "which could take some time".