Well, it’s not pretty.
Google released a warning that some Android phones can be hacked remotely, without the intended victim having to click on anything.
If an attack is successful, a hacker could access data passing through the Samsung Exynos chipsets used in many devices, covering call information and text messages.
And what does a hacker need to know about you to target your phone?
Your phone number.
That’s it. All they need to know is the phone number of your Android device.
Honestly, it’s horrible. It’s easy to imagine how such a security problem could be exploited by – oh, I don’t know – state-sponsored hackers.
In total, security boffins working on Google’s Project Zero team say they discovered a total of 18 zero-day vulnerabilities in the built-in Exynos modems of some phones – with four of the vulnerabilities being particularly severe:
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level without user interaction, and only require the attacker to know the number of the victim’s phone. With limited additional research and development, we believe that skilled attackers can quickly create an operational exploit to compromise affected devices silently and remotely.
According to the researchers, other vulnerabilities require either a malicious mobile network operator or an attacker with physical access to the Android device.
Vulnerable devices include:
- Samsung smartphones, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Vivo smartphones, including those in the S16, S15, S6, X70, X60 and X30 series;
- Google Pixel 6 and Pixel 7 devices; and
- any vehicle that uses the Exynos Auto T5123 chipset.
It is worth noting that some devices will use a Qualcomm chipset and modem, which does not suffer from the same weaknesses as the one from Exynos.
Of course, Project Zero’s vulnerability hunters have no qualms about detailing how security holes can be exploited, and typically share such information publicly 90 days after notifying the relevant software or hardware vendor is the problem.
In this case, however, the Google team appears to recognize that public disclosure at this stage could actually cause major problems:
Under our standard disclosure policy, Project Zero discloses security vulnerabilities to the public within a specified time after they are reported to a software or hardware vendor. In the few rare cases where we’ve determined attackers would benefit more than defenders if a vulnerability were disclosed, we’ve made an exception to our policy and delayed the disclosure of that vulnerability.
Due to an extremely rare combination of the level of access these vulnerabilities provide and the speed at which we believe a reliable operational exploit can be made, we have decided to make an exception to the policy to delay disclosure for four vulnerabilities that allow for Internet-to-baseband remote code execution.
If you have an affected Google Pixel device, there is good news. Google has already provided a security patch for your smartphone along with it March 2023 security update.
However, if you are the owner of a vulnerable Samsung smartphone, fixes are still not available according to at least one Google Project Zero researcher.
End-users still don’t have patches 90 days after report…. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
So what should you do if your device hasn’t been patched?
Google’s recommendation is that you change your device settings to turn off Wi-Fi calling and Voice over LTE (VoLTE), until a fix is available for your smartphone.
Found this article interesting? Follow Graham Cluley on Twitter o Mastodon to read more exclusive content we post.