Google Sounds Alarms on Security Flaws in Androids with Samsung Chips

According to Google’s Project Zero head Tim Willis, 18 zero-day vulnerabilities have been discovered in Samsung’s Exynos modems over the past few months (via TechCrunch).

Google’s in-house security research unit has reported at least four top-severity flaws in Samsung chips included in dozens of Android models, wearables, and vehicles.

“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction,” Willis said.

The attacker only needs to know the victim’s phone number to exploit these vulnerabilities, he added.

Project Zero researcher Maddie Stone wrote on Twitter that Samsung had 90 days to patch the bugs, but hasn’t yet.

End-users still don’t have patches 90 days after report…. https://t.co/dkA9kuzTso

— Maddie Stone (@maddiestone)

March 16, 2023

In a security listing this month, Samsung also confirmed that some Exynos modems are vulnerable, affecting several Android device manufacturers.

The list of affected devices includes the following:

• Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
• Vivo mobile devices, including those in the S16, S15, S6, X70, X60 and X30 series;
• Google Pixel 6 and Pixel 7 series;
• Connected vehicles that use the Exynos Auto T5123 chipset

Google also confirmed that Pixel devices are already patched against these flaws with its March security updates.

Until affected manufacturers push software updates to their customers, Google said users who wish to protect themselves can switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, which will “remove the exploitation risk of these vulnerabilities.”