Summary created by Smart Answers AI
In summary:
- Tech Advisor reports that Kaspersky discovered a critical hardware vulnerability (CVE-2026-25262) in older Qualcomm chipsets from 2014-2019, affecting devices like Samsung Galaxy S10 5G and Google Pixel 2.
- Attackers with physical access can exploit the Sahara protocol flaw to bypass security measures and embed malware deeply into affected Android devices.
- Users should upgrade to newer devices since these older chipsets no longer receive security updates, leaving millions of phones permanently vulnerable.
A recently identified security flaw in Qualcomm processors widely used in Android devices poses a significant risk. Security experts caution that, in the most severe cases, attackers might gain full control over the affected devices, accessing sensitive information.
Vulnerability lies deep within the system
The Kaspersky ICS CERT analysis reveals that the vulnerability exists in the BootROM of specific Qualcomm chips.
This firmware, embedded in the hardware, operates before the operating system loads, making the vulnerability particularly severe.
Registered as CVE-2026-25262, Kaspersky informed Qualcomm about the issue in March 2025, and Qualcomm confirmed it in April 2025.
The affected Qualcomm chips include:
- MDM9x07
- MDM9x45
- MDM9x65
- MSM8909
- MSM8916
- MSM8952
- SDX50
Additional chips might also be vulnerable.
Affected devices (and possible good news)
Fortunately, these chipsets, released between 2014-2019, are found in older and more affordable devices, as well as flagship phones from several years ago.
Recent models containing these chipsets include the Samsung Galaxy S10 5G, LG V50 ThinQ 5G, OnePlus 7 Pro 5G, and Xiaomi Mi Mix 3 5G.
Foundry
Other devices include, but are not limited to, some models of Galaxy S7 and S8, Google Pixel 2/2XL, LG G5, HTC One A9, Motorola Moto G4/G4 Plus, and Honor 4A.
These devices are considered obsolete and no longer receive software support, including security patches. Thus, users should upgrade to more current devices.
Attacks possible even before booting
The focus of the investigation is the Sahara protocol, which engages when devices switch to Emergency Download Mode (EDL), a maintenance mode. In this state, a computer can transfer software to the device before the operating system starts.
According to Kaspersky, attackers with physical access can bypass security mechanisms, including the Secure Boot Chain, allowing them to embed malware deep within the system, such as backdoors.
Kaspersky offers further technical insights in its analysis of the vulnerability in Qualcomm chips.
Access to data, camera and microphone
If compromised, the potential consequences are extensive. Attackers could:
- Access stored files and contacts
- Read passwords and location data
- Activate the camera and microphone
- Take complete control of the device
Security experts note that such attacks can affect not only individual users but also devices during transport or repairs, potentially compromising the supply chain.
Restarting is not a reliable solution
A simple restart might not resolve the issue, as Kaspersky indicates that malware can be deeply embedded within the system, making it difficult to detect or remove.
Moreover, compromised devices could simulate a reboot. A complete reset is only secure if the power supply is entirely cut off, for example, by fully discharging the battery.
What you should bear in mind now
Although an attack requires physical access, the risk should not be underestimated. Kaspersky advises the following precautions:
- Use only reputable repair shops for device maintenance.
- Avoid leaving your smartphone or tablet unattended whenever possible.
- Monitor access to your devices, especially during transport or handover.
- If you suspect a problem, turn off the device completely and allow the battery to fully discharge.
This article originally appeared on our sister publication PC-WELT and was translated and adapted from German.
