Google warns users to take action to guard against remotely exploitable flaws in popular Android phones

Google’s safety analysis unit is alarming a couple of collection of vulnerabilities it has present in dozens of Android fashions, wearables and sure Samsung chips present in autos, fearing the issues might quickly be found and exploited.

Inside blog postTim Willis, head of Challenge Zero at Google, stated in-house safety researchers have discovered and reported 18 zero-day vulnerabilities in Exynos modems manufactured by Samsung over the previous few months, together with the highest 4 flaws that would “silently and remotely” compromise affected gadgets. instructed. over the mobile community.

“Testing carried out by Challenge Zero has confirmed that these 4 vulnerabilities enable an attacker to remotely compromise a baseband-level cellphone with none consumer interplay and solely require the attacker to know the sufferer’s cellphone quantity,” Willis stated.

By gaining the flexibility to remotely execute code at a tool’s baseband degree (primarily Exynos modems that convert cell alerts into digital knowledge), an attacker might achieve just about limitless entry to knowledge going out and in of an affected system. mobile calls, textual content messages and cell knowledge with out alerting the sufferer.

As disclosures go, it is uncommon to see Google or any safety analysis agency sound the alarm earlier than high-severity vulnerabilities are patched. Google famous the chance to the general public, noting that expert attackers “might rapidly create an operational exploit” with restricted analysis and energy.

Challenge Zero researcher Maddie Stone wrote on Twitter Samsung had 90 days to repair bugs however hasn’t completed it but.

Samsung has confirmed March 2023 security list that a number of Exynos modems are weak and have an effect on a number of Android system producers, however present few different particulars.

In line with Challenge Zero, the affected gadgets embody a couple of dozen Samsung fashions, Vivo gadgets, and Google’s personal Pixel 6 and Pixel 7 telephones. Affected gadgets additionally embody wearables and devices that depend on Exynos chips to connect with the mobile community.

Google stated that patches will range relying on the producer, however famous that Pixel gadgets have already been patched. March security updates.

Google stated that till affected producers ship software program updates to their prospects, customers who wish to shield themselves will have the ability to flip off Wi-Fi calling and Voice-over-LTE (VoLTE) of their system settings, which is able to “take away the chance of exploitation of those vulnerabilities.” ”

Google stated the remaining 14 vulnerabilities are much less severe as they require entry to a tool or require insider or privileged entry to a cell service’s techniques.