Google’s Project Zero recently uncovered two critical vulnerabilities that pose a major threat to the security of Android phones made by Google and Samsung. These vulnerabilities are deemed “severe,” emphasizing the immediate need for fixes to reduce the associated risks. Neglecting to address these vulnerabilities could lead to a significant security breach.
One of the identified flaws, which is the most severe, affects Exynos modems. These vulnerabilities consist of four weaknesses that can result in substantial issues with the Exynos hardware. Hackers can exploit these vulnerabilities remotely using just your phone number without requiring any interaction from the user. Swift application of patches is essential to prevent potential exploits and protect your phone from compromise.
Several devices from Samsung, Vivo, and Google have been found to be vulnerable to critical zero-day vulnerabilities impacting Exynos chipsets. Devices like Samsung Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series, Vivo S16, S15, S6, X70, X60, and X30 series, and Google Pixel 6, 6 Pro, Pixel 6a, Pixel 7, and 7 Pro are among the affected models. Moreover, all wearables using the Exynos W920 chipset and vehicles utilizing the Exynos Auto T5123 chipset are also at risk. A total of 18 zero-day vulnerabilities were discovered in Samsung’s Exynos chipsets, with seven enabling remote code execution. Immediate application of patches is crucial to address these vulnerabilities.
Google has promptly responded by releasing the March Pixel update to fix these vulnerabilities. While the update has been rolled out to the Pixel 7 Pro, some devices may still be awaiting the update. It is important for owners of affected devices to actively check for and install the patch as soon as it becomes available to ensure their device’s security.
How to check for updates on a Google Pixel device
Follow these steps to check for updates on a Pixel phone:
- Open the Settings app on your Pixel phone.
- Scroll down and select the System option.
- Tap System Update.
- If an update is available, you’ll receive a notification. Tap Download and Install to initiate the update process.
Please note that some updates may take time to download and install, so ensure your device has sufficient battery life and is connected to a Wi-Fi network before starting the update.
To check for updates on Samsung phones, open the Settings app and navigate to either the Software or System Updates section. If you see the March 1, 2023 Security Patch listed, it means that five out of the 18 vulnerabilities have been addressed (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076).
The remaining vulnerabilities have not surpassed the 90-day deadline or been assigned CVE-IDs yet. Samsung has also updated its advisories to remove the Exynos W920 SoC as an affected chip, alongside the release of the March 1, 2023 update.
Related: Pinduoduo users are at risk
What to do if your phone hasn’t received the update yet
It’s important to remember that temporarily turning off VoLTE and Wi-Fi calling should only be done until your phone receives the necessary security patch. Once you’ve installed the update, you can safely re-enable these features. If you’re unsure about disabling these features or have concerns regarding your phone’s security, it’s best to seek guidance from your device manufacturer or carrier.
Markup tool vulnerability on Google Pixel devices
A critical vulnerability affecting the Markup utility on Pixel phones has been identified by Google’s Project Zero, potentially allowing hackers to undo redactions and uncrop edited screenshots. For individuals who frequently capture and share sensitive screenshots, this vulnerability should be taken seriously, as it could be exploited by hackers to reveal redacted information for malicious purposes. It is crucial to exercise caution when sharing sensitive information.
Although sharing screenshots through services that compress and decompress images, such as Twitter, doesn’t expose them to this vulnerability, it is still advisable to be cautious.
Fortunately, Google has addressed this issue with the March Security Update, resolving it for users who have applied the patch. However, users who took screenshots before the update could still be vulnerable. Thus, it is recommended to delete any such screenshots (from both the phone and cloud) containing sensitive information, regardless of whether they were redacted or not.
For users of Pixel or Samsung phones awaiting patches, it is advised to check for updates daily and apply them promptly.
Image Source: Nadir Keklik / Shutterstock