Google Finds Dozens of Android Devices Can Be 'Silently' Compromised

pcmag.com:

Google discovered dozens of Android devices can be compromised without any user interaction necessary due a multiple zero-day vulnerabilities in Samsung's Exynos modems. The affected devices include smartphones, wearables, and even vehicles.

As TechCrunch reports(Opens in a new window), a total of 18 zero-day vulnerabilities have been discovered by Google's Project Zero team of security analysts. Four of those are severe enough to allow for Internet-to-basedband remote code execution, which means an attacker only needs a victim's phone number to compromise their handset—no user interaction is necessary.

Tim Willis, head of Project Zero, explains in a blog post(Opens in a new window) that, "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely."

As the vulnerabilities are found in Exynos modems, dozens of devices are affected. Google provided the following list of products that can be compromised:

Google's own Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, and Pixel 7 Pro

Samsung devices in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series

Vivo devices in the S16, S15, S6, X70, X60 and X30 series

Any wearables using the Exynos W920 chipset

Any vehicles using the Exynos Auto T5123 chipset

Maddie Stone, a security researcher on the Project Zero team, confirmed in a tweet(Opens in a new window) that Samsung was given 90 days to release a patch, but none has been forthcoming.

As there is such a wide range of devices impacted by these vulnerabilities, the patch timeline is going to vary. Google included a fix for Pixel devices in the March 2023 security update(Opens in a new