Signal, Facebook Messenger, Google Duo, and two other video conferencing and chat applications, JioChat and Mocha, may have been eavesdropping on Android users, Google researchers have revealed.
The flaw allowed calls to connect to the receiving device without any warning to the user of the receiving device, and silently streamed audio, and in some cases video, back to the calling device. All of the flaws have been fixed, so be sure to update the app on your Android device.
"In theory, securing the consent of the incoming caller before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding the track to the peer connection," Silvanovich blogs at Google Project Zero He wrote in a post.
"But when I looked at the actual applications," she added, "they were enabling transmission in many different ways." Most of these led to vulnerabilities that allowed calls to connect without interaction from the incoming party.
The Signal flaw was fixed in the service's Android app in September 2019, and it is unlikely that many Signal users are still vulnerable; Signal's iOS app was unaffected because a second, unrelated flaw prevented the completion of covert calls Silvanovich writes in her bug report that the Signal iOS app was unaffected only because a second, unrelated flaw prevented the completion of covert calls.
Four other Android apps were patched more recently: JioChat (widely used in India) in July 2020, Mocha (widely used in Vietnam) in August, Facebook Messenger in November, and Google Duo in December. If you use any of these apps, make sure they are up-to-date.
Silvanovic also looked at Telegram and Viber, two other widely used encrypted messaging apps, and wrote that she found no problems with calls connecting without the caller's knowledge.In November 2018, she found a WhatsApp Android and iOS versions had a similar flaw, which was quickly fixed.
However, Silvanovic noted that she only looked into the one-to-one calling feature.
"We did not look at the group calling feature of these applications," she said. This is a topic for future research that may reveal additional issues."
Silvanovich's research on these messenger apps follows a similar flaw in Apple FaceTime on iOS and macOS discovered in January 2019.
"The vulnerability was a logic bug in FaceTime's call state machine (the part of the app that determines whether a call is connected)" that "could be exercised using only the device's user interface," Silvanovich wrote.
"The fact that such a serious and easily reachable vulnerability occurred made us wonder if other state machines might have similar vulnerabilities," she added.
Silvanovich focused on Android apps in this case because Android apps are easier to investigate code than iOS apps. However, iOS messaging apps are not immune to these flaws, as the cases of FaceTime, WhatsApp, and Signal show. 25]
Twitter users told us that they did not investigate the Threema encrypted messenger, which is used primarily by German-speaking users. When asked why, Silvanovic replied, "We investigated apps that have more than 10M installs on Google Play and accept incoming calls."
The apps that are not available on Google Play are not the same as those that are available on Twitter.
Comments