Popular encrypted messaging app Signal has fixed a crucial flaw in its Android app that could’ve allowed bad actors to answer calls on your behalf. What’s more, it needed no intervention from your end.
Google’s Project Zero team, which uncovered the bug on September 28, said it only affects audio calls, as the video option needs to be manually enabled for all incoming calls.
Signal has since patched the problem in its latest update of the app (version 4.47.7).
“Using a modified client, it is possible to send the ‘connect’ message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device,” Project Zero’s Natalie Silvanovich noted.
The eavesdropping flaw would have been an issue on the iOS version of Signal too, if it wasn’t for an error in the user interface that prevented the call from being completed. As it stands, the flaw can’t be exploited on iOS.
The bug is also a lot similar to a major FaceTime flaw that was uncovered this year, which allowed a remote attacker to hear other person’s voice even before they answered your call.
If you are a Signal user, you should waste no time updating the app.
Get the TNW newsletter
Get the most important tech news in your inbox each week.