Signal, Facebook Messenger, Google Duo and two other video-conferencing and chat apps, JioChat and Mocha, could have let eavesdroppers listen in on Android users, a Google researcher has revealed.
The flaws would let a call connect to a receiving device without alerting the receiving device's user in any way, quietly opening up an audio, and sometimes a video, stream back to the calling device. The flaws have all been patched, so make sure you update the apps on your Android devices.
- How to switch from WhatsApp to Signal
- The best encrypted messaging apps
- Plus: Look out: This browser link will crash your Windows 10 PC
"Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection," Silvanovich wrote in a Google Project Zero blog post.
"However, when I looked at real applications they enabled transmission in many different ways," she added. "Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee."
The Signal flaw was fixed in the service's Android app in September 2019, and it's unlikely that many Signal users would still be vulnerable. The Signal iOS app was not affected only because a second, unrelated flaw prevented the secret call from completing, Silvanovich wrote in her bug report .
The other four Android apps were patched more recently: JioChat (widely used in India) in July 2020, Mocha (widely used in Vietnam) in August, Facebook Messenger in November and Google Duo in December 2020. If you use any of these apps, make sure they're up-to-date.
More problems likely still out there
Silvanovich wrote that she also examined Telegram and Viber, two other widely used encrypted-messaging apps, but found no issues with calls being connected without the call receiver's knowledge. In November 2018, she disclosed a similar flaw in the Android and iOS versions of WhatsApp that was quickly fixed.
However, Silvanovich pointed out that she looked only at one-to-one calling functions.
"I did not look at any group calling features of these applications," she wrote. "This is an area for future work that could reveal additional problems."
Silvanovich's research into these messenger apps follows on a similar flaw in Apple FaceTime on iOS and macOS that was discovered in January 2019.
"The vulnerability was a logic bug in the FaceTime calling state machine" — the part of the app that determines whether a call is connected or not — "that could be exercised using only the user interface of the device," Silvanovich wrote.
"The fact that such a serious and easy-to-reach vulnerability had occurred," she added, "made me wonder whether other state machines had similar vulnerabilities as well."
Silvanovich focused on Android apps in this particular instance, likely because it's easier to examine their code than those of iOS apps. But as the FaceTime, WhatsApp and Signal instances show, iOS messaging apps are not immune to these flaws.
Asked by a Twitter user why she did not examine the Threema encrypted messenger, predominantly used by German speakers, Silvanovich replied that "I looked at apps with 10M+ installs on Google Play that accept incoming calls."