Google and Samsung Phones Have Severe Vulnerabilities
Google's Project Zero recently discovered two critical vulnerabilities that pose a significant threat to the security of Android phones manufactured by Google and Samsung. These vulnerabilities have been classified as "severe," indicating the urgent need for patching to mitigate the risks involved. Failure to do so could result in a serious security breach.
One of the identified vulnerabilities, and by far the most serious, impacts Exynos modems. The vulnerabilities consist of four weaknesses that can lead to significant issues with the Exynos hardware. Hackers can exploit these vulnerabilities remotely with only your phone number without the need for user interaction. Immediate patching is required to prevent potential exploits and compromise of your phone.
Numerous devices from Samsung, Vivo, and Google have been found to be vulnerable to serious zero-day vulnerabilities affecting Exynos chipsets. Among the affected devices are the Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series, the Vivo S16, S15, S6, X70, X60, and X30 series, and Google Pixel 6, 6 Pro, Pixel 6a, Pixel 7, and 7 Pro. Additionally, all wearables that utilize the Exynos W920 chipset and all vehicles that use the Exynos Auto T5123 chipset are also affected. A total of 18 zero-day vulnerabilities were discovered in Samsung's Exynos chipsets, with seven allowing for remote code execution. Immediate patching is required to mitigate these vulnerabilities.
Google has taken immediate action by releasing the March Pixel update to address these vulnerabilities. While the patch has been rolled out to the Pixel 7 Pro, some devices may still be waiting for the update. It's important for owners of affected devices to proactively check for and apply the patch as soon as it becomes available to ensure their device is protected.
How to check for updates on a Google Pixel device
Here are the steps to check for updates on a Pixel phone:
- Open the Settings app on your Pixel phone.
- Scroll down and select the System option.
- Tap System Update.
- If there is an update available, you'll see a notification. Tap Download and Install to start the update process.
It's important to note that some updates may take a while to download and install, so make sure your device has enough battery life and is connected to a Wi-Fi network before starting the update process.
To check for updates on Samsung phones, open the Settings app and look for either the Software or System Updates section. If the March 1, 2023 Security Patch is listed, it means that five out of the 18 vulnerabilities have been addressed (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076).
The remaining vulnerabilities have not yet passed the 90-day deadline or been assigned CVE-IDs. Samsung has also updated its advisories to remove the Exynos W920 SoC as an affected chip, along with the release of the March 1, 2023 update.
Related: Pinduoduo users are at risk
What to do if your phone hasn’t received the update yet
It's important to note that turning off VoLTE and Wi-Fi calling should only be done temporarily until your phone receives the necessary security patch. Once you've applied the update, it's safe to turn these features back on. Additionally, if you're not sure how to turn off these features or have any concerns about the security of your phone, it's always a good idea to contact your device manufacturer or carrier for guidance.
Markup tool vulnerability on Google Pixel devices
A severe vulnerability has been identified by Google's Project Zero that affects the Markup utility on Pixel phones, potentially enabling hackers to unredact and uncrop edited screenshots. For individuals who frequently take and share sensitive screenshots, this vulnerability should be treated seriously, as a hacker could exploit this vulnerability to uncover redacted information and use it for malicious purposes. It is essential to exercise caution while sharing sensitive information.
While sharing screenshots via services that compress and decompress images, such as Twitter, does not expose them to the vulnerability, it is still advised to exercise caution.
Thankfully, Google has addressed the issue with the March Security Update, ensuring that it is resolved for users who have applied the patch. However, users who took screenshots before the update may still be vulnerable. Therefore, it is advisable to delete any such screenshots (from both phone and cloud) containing sensitive information, whether redacted or not.
For those using Pixel or Samsung phones yet to receive patches, it is recommended that you check for updates daily and apply them as soon as possible.