Prevent hackers from taking over your Android with just your phone number

It’s not easy to keep up with the latest security news. It seems that every week there is a new threat on at least one of our devices that you need to watch out for. It’s a sucker this time though: if you have a Samsung Galaxy or a recent Google Pixel, hackers might be able to break into your phone using just your phone number.

Project Zero, a security research team at Google, discovered a whopping 18 zero-day vulnerabilities in Samsung Exynos modems late last year through early 2023. Zero-day vulnerabilities are dangerous because attackers learn about them before software and hardware vendors do, greatly increasing the possibility of an attack.

Even worse in this case, four of the 18 zero-days allow what is known as “internet-to-baseband remote code execution,” which allows a hacker to take over your phone without any action on your part. All they need to know is your phone number, and they’re on it assuming you have one of the affected devices.

Samsung’s Exynos modem (not to be confused with the Exynos SoC common in Galaxy devices outside the US) is the part of your smartphone that enables phone calls. Project Zero believes this is the full list of affected devices:

Samsung mobile devices including S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series. Mobile devices from Vivo including the S16, S15, S6, X70, X60 and X30 seriesThe Pixel 6 and Pixel 7 series of devices from GoogleAll vehicles using the Exynos Auto T5123 chipsetUpdates are here to stay ahead of this latest Android protect against security threats

In short, it’s bad news. But there is good news. Patches and updates are already available for users to fix their devices. Google, for example, fixed all four critical vulnerabilities with the March update. If you have a Pixel 6 or Pixel 7, make sure you update as soon as possible if you haven’t already to protect yourself.

G/O Media may receive a commission

The situation is similar on the Samsung side. The company patched five out of six known vulnerabilities in its March update, which is interesting considering Project Zero found four critical vulnerabilities. Additionally, Samsung does not consider the six vulnerabilities it identifies to be “critical”. However, if they are related to those zero-day modem vulnerabilities, I would disagree.

Here’s how to protect your Samsung Galaxy while waiting for the latest patch

So the immediate action is to update your Pixel or Galaxy device as soon as possible. But there is still the unpatched vulnerability on the Galaxy side, which Samsung says should be ready in April. To increase your security while you wait, consider disabling WiFi calling, which can help protect against this internet-to-baseband remote code execution. To do this, go to “Settings” > “Connections” and turn off “Wi-Fi Calling”.

Disabling VoLTE (Voice Over LTE) is another solution, but there are two problems there. First, it affects your ability to make and receive calls, but more importantly, it’s not really doable on your end since it’s now controlled by your carrier. You can get around this by switching your network mode to 2G/3G… but who wants to live like that? Keep your phone connected to LTE or 5G I think, disable WiFi calling and wait for Samsung to issue the latest patch.