Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point.
Chipsets made by UNISOC, one of China’s largest mobile phone chip designers, are widely used in budget smartphones, particularly ones sold in Asia and Africa. The company was called Spreadtrum until 2018, when it rebranded as UNISOC.
At the end of 2021, UNISOC had an 11% share of the smartphone application processor market, being ranked the fourth after Mediatek, Qualcomm and Apple.
Researchers at Check Point have analyzed UNISOC modem firmware and discovered that it’s affected by a serious vulnerability that can allow an attacker to launch a remote denial-of-service (DoS) attack against a device by using a specially crafted packet.
“We reverse-engineered the implementation of the LTE protocol stack and discovered a vulnerability that could be used to deny modem services and block communications,” the company explained in a blog post.
It warned, “A hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location.”
Check Point has made available the technical details of the vulnerability, which is tracked as CVE-2022-20210.
Several of Google’s Android updates released in the past year included patches for UNISOC vulnerabilities. Check Point says Google plans on addressing this latest flaw with an upcoming Android update.
The vendor, which gave the vulnerability a CVSS score of 9.4 (critical severity), patched it in May, the same month it learned of its existence.
In March 2022, mobile security company Kryptowire reported that smartphones with UNISOC chips were affected by a critical vulnerability related to a pre-installed app (CVE-2022-27250), which could allow a malicious application to take control of user data and device functionality.