Stop Hackers From Taking Over Your Android Using Only Your Phone Number
Keeping up to date with the latest security news is not easy. Every week, at least one of our devices has a new threat to watch out for. This time, however, it’s stupid: if you have a Samsung Galaxy or a recent Google Pixel, hackers can hack into your phone using just your phone number.
Google’s Project Zero research team found a whopping 18 zero-day vulnerabilities in Samsung Exynos modems from late last year to early 2023. Zero-day vulnerabilities are dangerous because attackers become aware of them earlier than software and hardware vendors, which raises the possibility of an attack significantly.
Even worse in this case, four out of 18 zero days allow for what is called “remote code execution from the Internet to the mainband,” where a hacker can take over your phone without your participation. All they need to know is your phone number and they are online if you have one of the affected devices.
Samsung’s Exynos modem (not to be confused with the Exynos SoC that’s common in Galaxy devices outside the US) is the part of your smartphone that makes phone calls. Project Zero believes this is the complete list of affected devices:
- Samsung mobile devices, including S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series.
- Vivo mobile devices, including S16, S15, S6, X70, X60 and X30 series.
- Pixel 6 and Pixel 7 device series from Google
- Any vehicles using the Exynos Auto T5123 chipset.
Updates are here to protect against this latest Android security threat
In short, this is bad news. But there is good news. Patches and updates are already available for users to fix their devices. Google, for example, fixed all four critical vulnerabilities in the March update . If you have a Pixel 6 or Pixel 7, be sure to update as soon as possible if you haven’t already, to protect yourself.
Similar news from Samsung. The company patched five of the six security vulnerabilities it noted in its March update , which is interesting considering Project Zero flags four critical vulnerabilities. Moreover, Samsung does not consider the six identified vulnerabilities “critical”. However, if they are related to these zero-day modem vulnerabilities, I would disagree.
How to protect your Samsung Galaxy while waiting for the final patch
So, the immediate action is to update your Pixel or Galaxy device as soon as possible. But there is still an unpatched vulnerability on the Galaxy side, which Samsung says should be ready in April . To bolster your security while you wait, you might want to consider disabling Wi-Fi calls, which can help protect against this remote code execution from the internet to the baseband. To do this, go to Settings > Connections and turn off Wi-Fi Calling.
Disabling VoLTE (Voice Over LTE) is another solution, but there are two problems here. First, it affects your ability to make and receive phone calls, but more importantly, it’s not entirely doable on your part since it’s now controlled by your carrier. You can get around this by switching the network mode to “2G/3G”… but who wants to live like that? In my opinion, keep your phone connected to LTE or 5G, disable Wi-Fi calls, and wait for Samsung to release the final patch.