Vulnerability found in top messaging apps let hackers eavesdrop
Google’s Project Zero discovered that a security flaw might have allowed hackers to eavesdrop on Android users. After an investigation conducted by cybersecurity researcher Natalie Silvanovich, the expert discovered vulnerabilities in many apps with 10M+ installs on Google Play that accept incoming calls. The affected applications include hugely popular apps such as Facebook Messenger, Signal, Google Duo, JioChat, and Mocha. She described her findings in a Project Zero blog post.
The discovered security flaws would allow a call to connect to a receiving device without notifying the receiver in any way. Hackers then listened quietly and, in some cases, even turned the camera on without alerting the owner of the targeted device. Many less popular applications have not been researched, and it is currently unknown if this security fault could be observed there. She plans to continue investigating similar issues that could reveal more problems.
“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection,” she wrote in her Project Zero blog post. “However, when I looked at real applications, they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.”
Signal’s security flaw was patched in September 2019, and the rest of the messaging apps were fixed more recently in the second half of 2020. The Project Zero researcher also looked at other popular messaging apps such as Telegram and Viber, but she could not find these particular security flaws. She looked at Telegram in August 2020, and Viber was investigated in November last year. This is not the first time Project Zero reveals such security flaws. Back in November 2018, the very same researcher brought to daylight a similar loophole in WhatsApp – it was affecting not only Android users, but the security flaw was observed on Apple devices too.
Even though all of the vulnerabilities have been patched by the app developers, hackers would still be able to exploit the loophole if the targeted devices are running an older version of the apps. It is also possible that further research would discover more security issues that may be currently in use by hackers. Making sure you have high-end antivirus software installed on all your connected devices and that you regularly update your apps and OS is a must should you want to avoid cyber criminals from having a way into your personal life.
The discovered security flaws would allow a call to connect to a receiving device without notifying the receiver in any way. Hackers then listened quietly and, in some cases, even turned the camera on without alerting the owner of the targeted device. Many less popular applications have not been researched, and it is currently unknown if this security fault could be observed there. She plans to continue investigating similar issues that could reveal more problems.
“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection,” she wrote in her Project Zero blog post. “However, when I looked at real applications, they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.”
Signal’s security flaw was patched in September 2019, and the rest of the messaging apps were fixed more recently in the second half of 2020. The Project Zero researcher also looked at other popular messaging apps such as Telegram and Viber, but she could not find these particular security flaws. She looked at Telegram in August 2020, and Viber was investigated in November last year. This is not the first time Project Zero reveals such security flaws. Back in November 2018, the very same researcher brought to daylight a similar loophole in WhatsApp – it was affecting not only Android users, but the security flaw was observed on Apple devices too.
Even though all of the vulnerabilities have been patched by the app developers, hackers would still be able to exploit the loophole if the targeted devices are running an older version of the apps. It is also possible that further research would discover more security issues that may be currently in use by hackers. Making sure you have high-end antivirus software installed on all your connected devices and that you regularly update your apps and OS is a must should you want to avoid cyber criminals from having a way into your personal life.