Google’s Project Zero discovered that a security flaw might have allowed hackers to eavesdrop on Android users. After an investigation conducted by cybersecurity researcher Natalie Silvanovich, the expert discovered vulnerabilities in many apps with 10M+ installs on Google Play that accept incoming calls. The affected applications include hugely popular apps such as Facebook Messenger, Signal, Google Duo, JioChat, and Mocha. She described her findings in a Project Zero blog post.
The discovered security flaws would allow a call to connect to a receiving device without notifying the receiver in any way. Hackers then listened quietly and, in some cases, even turned the camera on without alerting the owner of the targeted device. Many less popular applications have not been researched, and it is currently unknown if this security fault could be observed there. She plans to continue investigating similar issues that could reveal more problems.
“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection,” she wrote in her Project Zero blog post. “However, when I looked at real applications, they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.”
Signal’s security flaw was patched in September 2019, and the rest of the messaging apps were fixed more recently in the second half of 2020. The Project Zero researcher also looked at other popular messaging apps such as Telegram and Viber, but she could not find these particular security flaws. She looked at Telegram in August 2020, and Viber was investigated in November last year. This is not the first time Project Zero reveals such security flaws. Back in November 2018, the very same researcher brought to daylight a similar loophole in WhatsApp – it was affecting not only Android users, but the security flaw was observed on Apple devices too.
Even though all of the vulnerabilities have been patched by the app developers, hackers would still be able to exploit the loophole if the targeted devices are running an older version of the apps. It is also possible that further research would discover more security issues that may be currently in use by hackers. Making sure you have high-end antivirus software installed on all your connected devices and that you regularly update your apps and OS is a must should you want to avoid cyber criminals from having a way into your personal life.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
Panda Free Antivitus
FREE TECHNICAL SUPPORT
13 comments
“all of the vulnerabilities have been patched by the app developers”… Your next article should be about the unreliability of windows 98. Timeliness is relevance. This article is dated and therefore irrelevant.
How can you tell if your device has been hacked? Recently my son asked to use my phone which only happens if his phone is not working. So I believe his dad put him up to it is my strong feeling. Please let me know what to look for. Thanks
Your phone gets hot for no reason. Because they are busy using your phone as a modem or over using your CPU. Your battery drains real quick. Look for apps you didn’t install.
This happened to me and the end of 2017 to to the beginning of 2018 on my college account got hacked I’m still locked out of it lost all my data and it’s happened again about a month ago I lost another account as well as having to leave College move from California to Florida and I still feel like I’ve been violated
And this was due to that duo video sharing app by Google I’m talking to my wife while I was in California on my other phone which was in my name that she had in Florida two weeks later everything was gone my whole account I had to reimage my computer’s my phone was wiped out I bought five by the phones couldn’t log into none of them brand new
Bla, bla, bla!
They first need to get hold of my number! And really, who would be interested in my info? I am not rich, or have millions that they can steel from me. So they would have gone through all the effort and trouble to see there is nothing worth their while.
That’s shocking
Sensationalist bunkum.
This issue could be days, weeks or months old – no mention at all of the original post, or a link to the CVE. What is the point in placing worry on the communication apps people depend upon every day, when you’re just trying to flog your second-rate mobile security app?
Cite your sources or don’t bother publishing.
I’ve been hacked similar way and other ways since 2014 but no one believes me even when I reported it to the police in 2017.
Hello
In my opinion is important have a good protection againts this attack ciber criminals because there are much people in this medium that not kwon well about is things and for these there are that have much attention when introduce date of bank account, email, photos and all this type of things.
In the posible is try of used well this plataform each that were browsering for Internet and the best is have a good protection with a good protection antivirus.
In my case I was using Avast and also for is fantatic your protection so only litlIe
I look this other software Pande and also is very good. In true I recommend it.
Is great alternative for all the users for keep the protection
Thank you very much
Why are we reporting on this now when it’s all been patched, in some cases 2 years ago…
Like Woody Guthrie said about the government reading all his mail, maybe they will learn something.
WhatsApp..no we can’t see your msges. Me, forqard my messages to email…WhatsApp, o wait we can do the same and send to our email