Google warns users to take action to protect against remotely exploitable flaws in popular Android phones

Google’s security research unit is sounding the alarm on a set of vulnerabilities it found in certain Samsung chips included in dozens of Android models, wearables and vehicles, fearing the flaws could be soon discovered and exploited.

Google’s Project Zero head Tim Willis said the in-house security researchers found and reported 18 zero-day vulnerabilities in Exynos modems produced by Samsung over the past few months, including four top-severity flaws that could compromise affected devices “silently and remotely” over the cellular network.

“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” Willis said.

By gaining the ability to remotely run code at a device’s baseband level — essentially the Exynos modems that convert cell signals to digital data — an attacker would be able to gain near-unfettered access to the data flowing in and out of an affected device, including cellular calls, text messages, and cell data, without alerting the victim.

As disclosures go, it’s rare to see Google — or any security research firm — sound the alarm on high-severity vulnerabilities before they are patched. Google noted the risk to the public, stating that skilled attackers “would be able to quickly create an operational exploit” with limited research and effort.

Project Zero researcher Maddie Stone wrote on Twitter that Samsung had 90 days to patch the bugs, but hasn’t yet.

Samsung confirmed in a March 2023 security listing that several Exynos modems are vulnerable, affecting several Android device manufacturers, but provided little other details.

According to Project Zero, affected devices include nearly a dozen Samsung models, Vivo devices, and Google’s own Pixel 6 and Pixel 7 handsets. Affected devices also include wearables and vehicles that rely on Exynos chips for connecting to the cellular network.

The list of affected devices includes (but is not limited to):

  • Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
  • Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series;
  • Google Pixel 6 and Pixel 7 series; 
  • Connected vehicles that use the Exynos Auto T5123 chipset,

Google said that patches will vary depending on the manufacturer, but noted that its Pixel devices are already patched with its March security updates.

Until affected manufacturers push software updates to their customers, Google said users who wish to protect themselves can switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities.”

Google said the remaining 14 vulnerabilities were less severe since they required either access to a device or have insider or privileged access to a cell carrier’s systems.