Google is warning owners of some Samsung, Vivo and Pixel phones that a series of exploits enable bad actors to compromise devices simply by knowing phone numbers — and the device owners wouldn’t notice a thing.
Project Zero, Google’s in-house team of cybersecurity experts and analysts, described in a blog post 18 different potential exploits in some phones using Samsung’s Exynos modems. These exploits are so severe that they should be treated as zero-day vulnerabilities (indicating they should be fixed immediately). With four of these exploits, an attacker has to have only the right phone number to get access to data flowing in and out of a device’s modem, like phone calls and text messages.
The other 14 exploits are less worrisome, since they require more effort to expose their vulnerability — attackers would need access to the device locally or to a cell carrier’s systems, as TechCrunch noted.
Owners of affected devices should install upcoming security updates as soon as possible, though it’s up to the phone makers to decide when a software patch will come out for each device. In the meantime, Google says device owners can avoid being targeted by these exploits by turning off Wi-Fi calling and Voice-over-LTE, or VoLTE, in their device settings.
In the blog post, Google listed which phones use the Exynos modems — inadvertently admitting that its premium Pixel phones have been using Samsung’s modems for years. The list also includes a handful of wearables and cars that use specific modems.
- Phones from Samsung, including those in the premium Galaxy S22 series, the midrange M33, M13, M12, A71 and A53 series, and the affordable A33, A21, A13, A12 and A04 series.
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series.
- The premium Pixel 6 and Pixel 7 series of devices from Google (at least one of the four most severe vulnerabilities was patched out in the March security update).
- Any wearables that use the Exynos W920 chipset.
- Any vehicles that use the Exynos Auto T5123 chipset.
Google reported these exploit discoveries to affected phone manufacturers in late 2022 and early 2023, the blog post said. But the Project Zero team has chosen not to disclose four other vulnerabilities out of caution due to their ongoing severity, breaking with its usual practice of disclosing all exploits a set period of time after reporting them to affected companies.
Samsung didn’t immediately respond to a request for comment.