Android Phones with Exynos Chipset Need Security Updates
Last Updated: 29 March 2023
Google's Project Zero found numerous vulnerabilities in the Exynos chipset used by a variety of Android phones. The most severe of them could allow an attacker to remotely compromise a phone, without the phone owner needing to do anything. The attacker just needs the phone number. That said, it doesn't seem to be under active exploit yet, at least as far as public news goes.
Affected Devices: Only phones with certain Exynos chipsets are vulnerable. Adding to the confusion is the fact that in some cases, the same phone model has different chips, depending on where in the world it was sold.
The Samsung S22 is one example: the version sold in Europe has Exynos, but those sold in many other places have a Qualcomm chip.
Affected Chipsets: Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123.
Google provided this list of likely affected devices based on the chipset list:
Samsung Galaxy phones including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series
Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
Any vehicles that use the Exynos Auto T5123 chipset
Exploited?: I haven't yet found information saying the vulnerabilities are known to have been exploited, but the Project Zero researchers stated "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely".
Mitigation: Google recommends you turn off Wi-Fi calling and Voice-over-LTE (VoLTE) on the affected devices. However, they have acknowledged that depending on carrier, you may not be able to turn off VoLTE.
Furthermore, you may not be able to use your phone for voice at all if VoLTE is off, depending on carrier, etc. So realistically, your best bet is a patch. See below.
Fix: As of the latest update to this post, Google has said the Pixel 7, Pixel 6, Pixel 6 Pro, and Pixel 6a have the critical vulnerabilities patched in the March 2023 security update.
It looks like at least some of the Samsung models have some patches available, so install any security updates you have pending and keep an eye out for more.
Google Project Zero entry