Chipmaker Qualcomm has acknowledged that hackers took advantage of a zero-day vulnerability in numerous chipsets found in popular Android devices. A zero-day refers to a security flaw that was unknown to the hardware maker when it was exploited.
The vulnerability, officially named CVE-2024-43047, is said to be under limited, targeted exploitation, according to Qualcomm, citing information from Google’s Threat Analysis Group. Amnesty International’s Security Lab also confirmed Google’s findings regarding this issue.
The U.S. cybersecurity agency, CISA, has listed the Qualcomm flaw among known vulnerabilities that have been exploited. At this time, details about the specific individuals targeted with this vulnerability are scarce and unknown.
Qualcomm has commended researchers at Google Project Zero and Amnesty International Security Lab for their coordinated approach to disclosing this vulnerability, which allowed Qualcomm to provide fixes. The company has referred to Amnesty and Google for more information on the threat activity.
Qualcomm has made patches available to its customers since September 2024, and it is now in the hands of Android device makers to release these patches to their customers’ devices. A total of 64 different chipsets, including the Snapdragon 8 (Gen 1) mobile platform, are affected by this vulnerability, potentially impacting millions of Android users globally.
Despite the widespread impact, the fact that Google and Amnesty are investigating this zero-day under limited, targeted exploitation suggests that the hacking campaign was likely aimed at specific individuals rather than a broad group of targets.
Brian Heater contributed reporting.
UPDATE, October 9, 1:07 p.m. ET: This story was updated to include Amnesty’s comment
