Google is warning owners of some Samsung, Vivo and Pixel phones that a series of exploits could let bad actors compromise devices simply by knowing basic phone numbers -- and the device owners wouldn't notice a thing.
Project Zero, Google's in-house team of cybersecurity experts and analysts, described in a blog post 18 different potential exploits that could be used to hack into select phones that use Samsung's Exynos modems. These exploits are so severe that they should be treated as zero-day vulnerabilities (indicating they should be fixed immediately). With four of these exploits, an attacker has to have only the right phone number to get access to data flowing in and out of a device's modem, like phone calls and text messages.
The other 14 exploits are less worrisome, since they require more effort to expose their vulnerability -- attackers would need access to the device locally or to a cell carrier's systems, as TechCrunch noted.
Samsung acknowledged the vulnerabilities and said it's released security updates for devices that could be affected, advising owners to update to the latest software to stay protected.
"After determining 6 vulnerabilities may potentially impact select Galaxy devices, of which none were 'severe', Samsung released security patches for 5 of these in March," reads a Samsung statement sent to CNET. "Another security patch will be released in April to address the remaining vulnerability."
Owners of affected devices should install upcoming security updates as soon as possible, though it's up to the phone makers to decide when a software patch will come out for each device. In the meantime, Google says device owners can avoid being targeted by these exploits by turning off Wi-Fi calling and Voice-over-LTE, or VoLTE, in their device settings.
In the blog post, Google listed which phones use the Exynos modems -- inadvertently admitting that its premium Pixel phones have been using Samsung's modems for years. The list also includes a handful of wearables and cars that use specific modems.
Google reported these exploit discoveries to affected phone manufacturers in late 2022 and early 2023, the blog post said. But the Project Zero team has chosen not to disclose four other vulnerabilities out of caution due to their ongoing severity, breaking with its usual practice of disclosing all exploits a set period of time after reporting them to affected companies.