Google is warning that some Samsung-powered Android devices are suffering from high-severity vulnerabilities which allow threat actors to compromise the endpoints remotely without user interaction.
In a blog post published on the Project Zero website earlier this week, Google’s researchers said that they reported 18 zero-day vulnerabilities found in Samsung’s Exynos Modems in late 2022 and early 2023. Of those 18, four are high-severity, allowing for internet-to-baseband remote code execution.
With many organizations relying on mobile devices power their workforce, financially-motivated hackers, as well as state-sponsored threat actors from China and Russia, for example, will seek to exploit these flaws in malicious campaigns of data theft and espionage.
No user interaction required
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” the researchers said.
Of the four vulnerabilities, just one has an assigned CVE - CVE-2023-24033. The other three are pending.
Given that the Android ecosystem is decentralized, the speed at which the flaws receive patches depends on the manufacturers. Google, for example, has already patched these flaws for its Pixel smartphone lineup, in its March update.
For others, such as Samsung, or Vivo, it depends on how fast these companies react. For that reason, Google decided not to share more details about the flaws, in order not to give the attackers any head start.
In anticipation of the patch, IT teams who are worried about the flaws can go for a workaround - turning off Wi-Fi calling and Voice-over-LTE (VoLTE) essentially renders the vulnerabilities harmless.
Here’s the full list of all the affected devices, as per Google’s Project Zero:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google;
- any wearables that use the Exynos W920 chipset; and
- any vehicles that use the Exynos Auto T5123 chipset.
Given that the flaws only affect Android devices running on Exynos, the news comes as an unexpected win for Qualcomm, especially in the SMB sector. Whether or not the company capitalizes on the news and how remains to be seen.
- Here's our rundown of the best endpoint protection services today