Google warns owners of some Samsung, Vivo and Pixel phones that a number of exploits allow attackers to compromise devices simply by knowing phone numbers – and the device owners would not notice.
Project Zero, Google’s in-house team of cybersecurity experts and analysts, described 18 different potential exploits in some phones using Samsung’s Exynos modems in a blog post. These exploits are so severe that they should be treated as zero-day vulnerabilities (indicating that they should be fixed immediately). With four of these exploits, an attacker need only have the correct phone number to gain access to data going in and out of a device’s modem, such as phone calls and text messages.
The other 14 exploits are less of a concern because they require more effort to uncover their vulnerability — attackers would need to access the device or a wireless carrier’s systems locally, TechCrunch found.
Owners of affected devices should install upcoming security updates as soon as possible, although it’s up to the phone manufacturers to decide when a software patch is released for each device. Meanwhile, Google says device owners can avoid being targeted by these exploits by disabling Wi-Fi calling and voice-over-LTE or VoLTE in their device settings.
In the blog post, Google lists which phones use the Exynos modems – and inadvertently admits that its premium Pixel phones have been using Samsung’s modems for years. The list also includes a handful of wearables and cars that use specific modems.
Samsung phones including the premium Galaxy S22 series, the mid-range M33, M13, M12, A71 and A53 series, and the affordable A33, A21, A13, A12 and A04 series. Vivo mobile devices including the S16, S15, S6, X70, X60 and X30 series. Google’s premium Pixel 6 and Pixel 7 series devices (at least one of the top four vulnerabilities was fixed in the March security update). All wearables that use Exynos W920 chipset. All vehicles using the Exynos Auto T5123 chipset.
Google reported these exploit discoveries to affected phone manufacturers in late 2022 and early 2023, the blog post said. However, as a precautionary measure, the Project Zero team chose not to disclose four other vulnerabilities due to their ongoing severity, breaking with their standard practice of disclosing all exploits a specified time after notification to affected companies.
Samsung did not immediately respond to a request for comment.