Android phones can be hacked just by someone knowing your phone number

Well, this isn’t good.

Google has issued a warning that some Android phones can be hacked remotely, without the intended victim having to click on anything.

If an attack is successful, the hacker could access data going through the Samsung Exynos chipsets used in many devices, scooping up call information and text messages.

And what does a hacker need to know about you to target your phone?

Your phone number.

That’s it. All they need to know is your Android device’s phone number.

Frankly, that’s horrific. It’s easy to imagine how such a security problem could be exploited by – oh, I don’t know – state-sponsored hackers.

In all, security boffins working in Google’s Project Zero team say that they have uncovered a total of 18 zero-day vulnerabilities in some phones’ built-in Exynos modem – with four of the vulnerabilities being particularly severe:

Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

According to the researchers, the other vulnerabilities require either a malicious mobile network operator or an attacker with physical access to the Android device.

Vulnerable devices include:

• Samsung smartphones, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
• Vivo smartphones, including those in the S16, S15, S6, X70, X60 and X30 series;
• Google Pixel 6 and Pixel 7 devices; and
• any vehicles that use the Exynos Auto T5123 chipset.

It’s worth noting that some devices will be using the Qualcomm chipset and modem, which does not suffer from the same vulnerabilities as the one from Exynos.

Of course, Google’s Project Zero vulnerability-hunters have no qualms about going into great detail of how security holes can be exploited, and normally shares such information 90 days publicly after informing relevant software or hardware vendors of the problem.

In this case, however, Google’s team appears to recognise that public disclosure at this stage might actually cause significant problems:

Under our standard disclosure policy, Project Zero discloses security vulnerabilities to the public a set time after reporting them to a software or hardware vendor. In some rare cases where we have assessed attackers would benefit significantly more than defenders if a vulnerability was disclosed, we have made an exception to our policy and delayed disclosure of that vulnerability.

Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.

If you have an affected Google Pixel device, there’s good news. Google has already issued a security patch for your smartphone with its March 2023 security update.

However, if you’re the owner of a vulnerable Samsung smartphone, fixes still aren’t available according to at least one Google Project Zero researcher.

End-users still don’t have patches 90 days after report…. https://t.co/dkA9kuzTso

— Maddie Stone (@maddiestone) March 16, 2023

So what should you do if your device hasn’t been patched?

Google’s recommendation is that you change your device’s settings to switch off Wi-Fi calling and Voice over LTE (VoLTE), until a fix for your smartphone is available.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.