Severe Android Voicemail Bug Hijacks Phones Remotely

Google has warned users of some Android handsets to turn off some voice call features. A series of vulnerabilities could mean attackers can compromise a handset just by knowing its phone number.

The problem involves four vulnerabilities in a Samsung-made component called an Exynos chipset. It's used for voice calls made over mobile data rather than the voice network.

At the time of writing, Google says the affected products include phones made by Samsung (A04, A12, A13, A21s, A33, A53, A71, M12, M13, M33, S22), Google itself (Pixel 6 and 7) and Vivo (S6, S15, S16, X30, X60, X70) along with any handsets that use the Exynos Auto T5123 chipset.

While a patch is ready, its distribution is down to individual manufacturers. The Pixel models should be patched with the latest update, but users of other phones need to check with their manufacturer.

Switch Off For Safety

In the meantime, Google recommends owners of unpatched handsets switch off two features in settings menus: Voice-over-LTE (VoLTE) and WiFi calling. This will mean some apps no longer work properly but will make an attack unworkable.

Arstechnica has cited some users as saying not all the affected handsets have the ability to switch off the VoLTE calling. (Source: arstechnica.com)

It's clearly a notable issue, not just because the workaround is relatively severe, but because Google has chosen not to issue full details of the vulnerability at this time. That's a big exception to its usual policy of telling manufacturers about bugs and then giving them 90 days to address them before publicly revealing the details.

Details Under Wraps

In this case Google says it's keeping some information quiet because of a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted.

It says the bugs could allow "Internet-to-baseband remote code execution", meaning attackers could remotely control the handset without requiring any action by the user. It added that "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." (Source: blogspot.com)

What's Your Opinion?

Are you affected by the issue? Would you be happy to switch off these features for the sake of security? Is Google right to keep details quiet in this case or does it undermine its frequent campaigning for "full disclosure"?