TL;DR:<\/strong> this is bad \u2014 remote code execution without user interaction over the cellular network, combined with the usual level of security confusion that goes with Android’s model. Unless your Android device is on the list of known-patched devices, or unless your vendor has explicitly announced that they are not using an affected cellular modem, assume you are in danger, and apply the workaround (turn off Wi-Fi calling & Voice-over-LTE AKA VoLTE).<\/em><\/p>\n Mobiles phones contain a sub-system designed for communicating with cellular networks. These sub-systems handle the radio communications between the phones and the cell towers, and they are highly independent from the rest of the phone, they don’t just have their own firmware, they contain an independent processor, and run their own mini OS. This mini OS has a privileged relationship with the phone’s primary OS, making it possible for malware to migrate from the base-band OS to the core Android OS, and to do so with system-level privileges.<\/p>\n Different cellular modem manufacturers use different hardware, firmware, and software for their base-band chips, so these kinds of vulnerabilities don’t generally affect all Android devices.<\/p>\n Google’s Project Zero have announced the existence of four critical bugs that allow an attacker knowing nothing more than a victim’s cellphone number to remotely take over the devices without any user interaction, and entirely stealthily. This is the kind of vulnerability that grey-hat companies like the NSO group<\/a> leverage to create spyware products like the infamous Pegasus<\/a>. That level of access would of course also be a positive boon for cyber criminals who could steal passwords, private keys, MFA codes, and more in order to steal identities, money, and cryptocurrency wallets.<\/p>\n Most unusually, the Project Zero team have chosen to withhold the details of the vulnerabilities despite the using 90-day window having expired. These bugs are so bad they are making a rare exception.<\/p>\n As well as not knowing how the bugs work, we only have a vague idea of what devices are and are not affected. We know that Google have patched the vulnerabilities in the latest software updates for their Pixel phones and that many Samsung devices are affected, but beyond that, there’s very little clarity.<\/p>\n Thankfully there is a workaround for anyone not using a Pixel device \u2014 turn off Wi-Fi calling and Voice-over-LTE (VoLTE).<\/p>\n If you’re using a non-Pixel Android device, apply the workaround now, and check with your manufacturer whether or not your device has a patch for CVE-2023-24033<\/code>.<\/p>\nLinks<\/h3>\n
\n
❗ Action Alerts<\/h2>\n