Google advises some Android phone owners: To prevent infection, destroy voicemail

News Summary:

  • The vulnerability affects Android devices using Exynos chipsets manufactured by Samsung’s semiconductor division. Vulnerable devices include the Pixel 6 and 7, the international version of the Samsung Galaxy S22, various mid-range Samsung phones, the Galaxy Watch 4 and 5, and cars using the Exynos Auto T5123 chip. These devices are ONLY vulnerable if they are running an Exynos chipset, which includes the signal processing baseband for voice calls. One bug has been identified as CVE-2023-24033 and three others have yet to receive the CVE designation that allows hackers to execute malicious code, Google’s Project Zero vulnerability team reported on Thursday. Code execution failures in the baseband can be especially critical because the chips have base system privileges to ensure that voice calls work properly.

  • Google is urging owners of some Android phones to take urgent action to protect themselves from critical vulnerabilities that allow skilled hackers to stealthily compromise their devices by performing a specially crafted calls to their number. However, it remains unclear whether all of the actions advocated are possible, and even if they were, these measures would disable most devices with voice calling capabilities.

“Testing conducted by Project Zero confirms that these four vulnerabilities allow an attacker to remotely penetrate the phone at the baseband level without user interaction and only requires the attacker to know the victim’s phone number,” wrote Project Zero’s Tim Willis. “With limited additional research and development, we believe skilled attackers should be able to quickly create an active exploit to compromise affected devices silently and remotely.”

The problem is that it’s not entirely clear that VoLTE can be turned off, at least on many models. A screenshot of an S22 user posted on Reddit last year shows the option to turn off VoLTE greyed out. Although this user’s S22 runs on a Snapdragon chip, the experience for users of Exynos-based phones can be the same. And while VoLTE can be turned off, doing so along with Wi-Fi can turn the phone into a small Android tablet. VoLTE became widely used a few years ago, and since then, most carriers in North America have stopped supporting the older 3G and 2G frequencies.

Earlier this month, Google released a patch for vulnerable Pixel models. Samsung has released an update that fixes CVE-2023-24033, but it has not yet been sent to end users. There is no indication that Samsung has released patches for the remaining three critical vulnerabilities. Until vulnerable devices are patched, they remain vulnerable to attacks that provide access at the deepest possible level.

A Samsung representative said in an email that the company released security patches for five of the six vulnerabilities in March “potentially impacting some Galaxy devices” and will patch the sixth in March. next month. The email did not respond to questions about whether any fixes are currently available to end users or whether VoLTE could be turned off.