Google has released a warning that certain Android phones may be remotely hacked without the need for the victim to interact with anything.

The attack can allow a remote user access to call information and text messages being transmitted via Samsung Exynos chipsets utilized in numerous devices. Furthermore, the only piece of information an attacker needs to target a phone is the device’s phone number.

Google’s Project Zero team has discovered a total of 18 zero-day vulnerabilities in some phones’ built-in Exynos modem, with four being particularly severe: these vulnerabilities allow an attacker to compromise a phone at the baseband level without user interaction, with just the victim’s phone number required.

Vulnerable devices include:

  • Samsung smartphones, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;

  • Vivo smartphones, including those in the S16, S15, S6, X70, X60 and X30 series;

  • Google Pixel 6 and Pixel 7 devices; and

  • any vehicles that use the Exynos Auto T5123 chipset.

Google’s recommendation for those with vulnerable devices is to turn off Wi-Fi calling and Voice over LTE (VoLTE) settings until a fix is available.