Google's Project Zero security teams have warned Android users of 18 critical bugs found in high-volume Android phones that could allow hackers to access sensitive data or take control of the device. The bugs range in severity from minor to major, with affected smartphones including some Samsung models, Vivo phones and Google's own Pixel 6 and Pixel 7 handsets. Wearables and cars that use Exynos processors to connect to the mobile network are also affected.
Google's Project Zero lead Tim Willis said in a blog post that in-house security researchers have discovered 18 zero-day vulnerabilities in Samsung Ezynos modems over the past few months, and that four of those vulnerabilities, the most serious of all, "allow remote code execution from the Internet to the baseband". This means that the malware allows an attacker to silently and remotely compromise affected devices over the mobile network. All the attacker needs is the victim's phone number to launch an attack.
While analysing the bugs, the team found that one of the bugs, dubbed CVE-2022-4061, has a severity rating of 9.8 out of 10, indicating a high risk level, and affects the Android system media framework. The vulnerability allows attackers to remotely execute code on the target device.
CVE-2022-4094 has a severity rating of 7.8 out of 10, also high risk, and affects the Android system kernel. This bug allows an attacker to access sensitive data and remotely take complete control of the device by elevating privileges.
Other bugs that pose a threat to the Android system are CVE-2022-411: a flaw in the Wi-Fi module of an Android system, CVE-2022-4113: a flaw in the audio framework of an Android system, and CVE-2022-4118: a flaw in the Bluetooth module of an Android system.
At the time of writing, Google has released patches for the affected Pixel 6 and 7 handsets and advised users to update their devices to ensure they are protected against these vulnerabilities. Tim Willis, speaking on behalf of Google Project Zero, acknowledged that the timeline for patches can vary from manufacturer to manufacturer and offered a temporary solution, saying,
"Until security updates are available, users who want to protect themselves from the baseband remote code execution vulnerabilities in Samsung's Exynos chipset can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Disabling these settings will remove the risk of these vulnerabilities being exploited".