Hackers could compromise a device "silently and remotely," Google security researchers said.
NEW YORK — A hacker would only need someone's phone number to exploit a serious vulnerability in some Android phones, Google Project Zero is warning.
Project Zero, the tech giant's security research team, said it found serious vulnerabilities affecting dozens of Android phone models and other devices that use Exynos modems.
Google Project Zero director Tim Willis said skilled hackers could easily exploit and gain complete access to the device without a user ever knowing.
"With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely," Willis said in a blog post.
Affected devices include, but may not be limited to:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series. According to TechReport, only the international version of the Samsung S22 is affected.
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- Google Pixel 6 and Pixel 7 series
- Vehicles that use the Exynos Auto T5123 chipset
Google said its March security update fixed the flaws for Pixel 6 and Pixel 7 phones, so users of those phones should be sure their phone is up to date.
Updates to https://t.co/u6s6p8eNTr
* The four severe Internet-to-baseband RCE vulns now have CVE-IDs
* Pixel just updated their March 2023 bulletin to show fixes for all four of the severe issues for Pixel 6 and 7
* I'm told that the Pixel 6 March OTA update is rolling out now. https://t.co/ns1zNPi8J2
What should you do?
Until more patches are released, users with affected devices should turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings and update devices as soon as possible.
- Open the Phone app
- Select more options (three vertical dots), and then tap Settings.
- Tap Wi-Fi Calling
- Tap the switch if it is not already turned off
The Google team said it discovered more than a dozen other flaws, but they weren't as serious because they would require the hacker to have local access to the device.
Project Zero security researcher Maddie Stone said on Twitter that Samsung had not patched the bugs more than 90 days after the flaws were reported.
End-users still don't have patches 90 days after report.... https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023