Serious Qualcomm Flaw Puts Millions of Android Devices at Risk

A newly disclosed vulnerability in older Qualcomm chips could leave millions of Android phones and other connected devices open to serious compromise. Security researchers at Kaspersky say the issue sits deep inside the device hardware, making it more difficult to detect or remove than ordinary malware.

The flaw, tracked as CVE-2026-25262, affects several Qualcomm chipset series, including MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952 and SDX50. Kaspersky reported the issue to Qualcomm in March 2025, and Qualcomm acknowledged it in April 2025. Researchers also warned that other Qualcomm-based chips may be affected.

The affected chips were commonly used in devices released between around 2014 and 2019. Reported examples include older smartphones such as the Samsung Galaxy S10 5G, LG V50 ThinQ 5G, OnePlus 7 Pro 5G, Xiaomi Mi Mix 3 5G, Google Pixel 2 and Pixel 2 XL, and some Samsung Galaxy S7 and S8 models.

Why this flaw is serious

The vulnerability is found in the BootROM, a piece of firmware built into the chip itself. This code runs before the phone’s operating system starts. Because it sits at such a low level, an attacker who successfully abuses the flaw may be able to bypass protections that would normally help keep the device secure.

Kaspersky’s research focused on the Sahara protocol, which is used when a Qualcomm device enters Emergency Download Mode. This mode is designed for maintenance, recovery and repair, allowing software to be loaded onto a device before the Android operating system starts.

That repair function is useful in legitimate hands, but the flaw means it could also be abused. According to Kaspersky, an attacker with physical access to a vulnerable device may be able to interfere with the secure boot process and install malicious code or backdoors deep inside the system.

What an attacker could do

For consumers, the most important point is that this is not a typical app-based threat. The attacker would usually need physical access to the device, even if only for a short time. That could happen if a phone is left unattended, handed over for repair, or tampered with during shipping or resale.

If the attack succeeds, the consequences could be severe. A compromised phone could expose saved files, contacts, passwords, location data and other sensitive information. Attackers may also be able to access device sensors such as the camera and microphone, depending on the device and attack scenario.

A normal restart may not be enough to fix the problem. Because the malware could be installed below the operating system, it may survive reboots or even make the device appear to restart without fully resetting. Cutting power completely, such as fully draining the battery, may be needed to force a clean restart in some cases.

What phone owners should do

The biggest concern is that many affected phones are now end-of-life, meaning they no longer receive regular security updates from manufacturers. If you still use one of these older models as your main phone, the safest option is to replace it with a newer device that continues to receive security patches.

You should also be careful with physical access to your phone. Avoid leaving it unattended in public places, use reputable repair services, and be cautious when buying second-hand devices that may have passed through unknown hands.

For most people, this is not a reason to panic. The attack is more difficult than a normal phishing scam or malicious app because it requires direct access to the device. But for anyone still relying on an older Android phone with one of the affected Qualcomm chips, it is a strong reminder that outdated hardware can become a long-term security risk.