Researcher discovered a logical flaw in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without interaction.
Google Project Zero white-hat hacker Natalie Silvanovich discovered a logical vulnerability in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without requiring his interaction.
This means that the attacker could spy on the receiver through the microphone of his device.
However, the Signal vulnerability can only be exploited if the receiver fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the receiver’s device.
The logical vulnerability resides in a method handleCallConnected that could be abused cause the call to be answered, even though the user the interaction.
“In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when the device accepts the call when the user selects ‘accept,’ and when the device receives an incoming “connect” message indicating that the has accepted the call,” reads the analysis published by Silvanovich. “Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device.”
Silvanovich explained that the iOS client is affected by a similar logical issue, but the call is not established due to an error in the UI caused by the unexpected sequence of states.
Silvanovich shared her findings with the Signal security team last week that quickly addressed it on the same day with the release of the version v4.47.7.
The post A bug in Signal for Android could be exploited to spy on users appeared first on Security Affairs.