Some of the most popular Android phones in the world are in desperate need of a security patch. According to Google’s Project Zero, Samsung’s Exynos 5G modems have 18 unpatched vulnerabilities, some of which are so severe that Google has chosen not to reveal the specifics until affected devices have been updated. In the meantime, there are a few things you can do to keep yourself safe.
As you might expect, most of the vulnerable devices are manufactured by Samsung. However, if you have one of these Samsung phones in North America, it likely runs a Qualcomm chip that is not affected by the vulnerabilities. The same goes for the S23 globally, as Samsung has switched to Qualcomm this year. Samsung includes the Exynos modems in its Exynos system-on-a-chip, but it’s also found in other chips like Google’s Tensor and Tensor G2. That means the last two generations of Pixel phones are also affected. A raft of Vivo phones also use Exynos chips and are included in the security advisory. There are even some vehicles at risk thanks to the Exynos modem in Samsung’s T5123 automotive chipset. Here’s the full list of affected devices, updated with input from Samsung Semiconductor.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
The Pixel 6 and Pixel 7 series of devices from Google; and
Any vehicles that use the Exynos Auto T5123 chipset.
Project Zero has a policy of only disclosing vulnerability details 90 days after reporting to vendors, but it’s making an exception in this case. Four of the issues have been detailed publicly (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, and CVE-2023-26075) as they have passed the 90-day threshold and are not especially severe. Ten of the vulnerabilities are still non-public because they have not yet reached the 90-day limit. Project Zero plans to disclose these bugs at that point if they have not been patched.
The Pixel 7 and 7 Pro were vulnerable to the new exploits, but Google patched them this month.
On the flip side, there are four others it has decided to keep under wraps because of the severity, even though they were reported more than 90 days ago. According to the researchers, the flaws could allow threat actors to easily construct baseband remote code execution attacks. An attacker could use that access to install malware and exfiltrate data without any user interaction.
While Samsung’s devices are still waiting on patches, Google fixed the Pixel 7 family in the latest March security patch. The older Pixel 6 is still waiting, though. Google has some advice for anyone using one of the unpatched devices. You can protect yourself from the exploit by disabling Wi-Fi calling and VoLTE features. When an update does come through, you should install it immediately.