Google issued a warning to some Samsung, Pixel, and Vivo phones about critical vulnerabilities that could allow hackers to compromise their devices by making a special call to their phone numbers.
The post said that Google’s team found at least 18 different possible exploits that could be used to target the aforementioned devices that use the Exynos chips. Owners of the impacted devices should install upcoming updates as soon as possible, although that varies depending on the phone manufacturer’s schedule for each device.
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” wrote Google’s Tim Willis in the post, dated March 16.
The fourteen other vulnerabilities “were not as severe,” he added, “as they require either a malicious mobile network operator or an attacker with local access to the device.”
Google’s security team said that in the meantime, some Android users can avoid being hacked by turning off Wi-Fi calling and Voice-over-LTE, known alternatively as VoLTE, in their device’s settings.
“Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities,” Willis wrote.
Samsung issued a statement confirming that it is aware of the potential security exploits and said it is now releasing updates for affected devices. It advised owners to update their Android smartphone software.
Impacted Devices
In all, the impacted devices include Samsung’s S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series devices as well as Vivo’s S16, S15, S6, X70, X60, and X30 series devices, according to Google. Other affected devices include the Google Pixel 6 and 7, any vehicles that use the Exynos Auto T5123 chipset, the company added.“For example, Google’s recent Pixel devices use Google’s own system-on-chip, branded Tensor, but both the Pixel 6 and Pixel 7 are vulnerable to these still-semi-secret baseband bugs,” Sophos said.
Google noted the exploit discoveries were discovered in late 2022 and early 2023. The Project Zero team said it has chosen not to disclose four other vulnerabilities because of ongoing security exploits.
Via its product security update website, Samsung described one of the bugs—CVE-2023-24033—as a “memory corruption when processing SDP attribute accept-type.”