Google is warning owners of some Samsung, Vivo and Pixel phones that a number of exploits allow bad actors to compromise devices simply by knowing phone numbers — and the device owners wouldn’t notice a thing.
Project Zero, Google’s internal team of cybersecurity experts and analysts, described in a blog post 18 different potential exploits in some phones that use Samsung’s Exynos modem. These exploits are so severe that they should be treated as zero-day vulnerabilities (indicating that they should be patched immediately). With four of these exploits, an attacker only needs the right phone number to access data flowing in and out of a device’s modem, such as phone calls and text messages.
The other 14 exploits are less worrisome, as they require more effort to reveal their vulnerability — attackers would need access to the device locally or to a mobile carrier’s systems, as TechCrunch noted.
Owners of affected devices should install upcoming security updates as soon as possible, although it is up to the phone manufacturers to decide when a software patch will be released for each device. In the meantime, Google says device owners can avoid being hit by these exploits by disabling Wi-Fi calling and Voice-over-LTE or VoLTE in their device settings.
In the blog post, Google listed which phones use the Exynos modems — inadvertently admitting that its premium Pixel phones have been using Samsung’s modems for years. The list also includes a handful of wearables and cars that use specific modems.
- Phones from Samsung, including those in the premium Galaxy S22 series, the mid-range M33, M13, M12, A71 and A53 series and the affordable A33, A21, A13, A12 and A04 series.
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series.
- Premium Pixel 6 and Pixel 7 devices from Google (at least one of the four most serious vulnerabilities was fixed in the March security update).
- All wearables using the Exynos W920 chipset.
- All vehicles using the Exynos Auto T5123 chipset.
Google reported these exploit discoveries to affected phone manufacturers in late 2022 and early 2023, the blog post said. But the Project Zero team has chosen not to disclose four other vulnerabilities out of an abundance of caution due to their continued severity, breaking with its usual practice of disclosing all exploits within a certain period of time after reporting them to affected companies.
Samsung did not immediately respond to a request for comment.