A researcher has recently disclosed a severe vulnerability in the Visual Voice Mail app affecting Android users. As per his findings, exploiting the vulnerability allows eavesdropping of voice messages. However, the bug report currently has a disputed status as the telecom giants refused to acknowledge it.
Android Visual Voice Mail App Vulnerability
Researcher Chris Talbot has shared details about a Visual Voice Mail application vulnerability that allows eavesdropping on voice messages.
What is Visual Voice Mail (VVM)
Visual Voice Mail (VVM) first came into existence with iOS, which Google adopted later since Android 6.0. It’s a voice mail visual interface that presents an organized list of messages for playback, and sometimes, a transcript.
As revealed through Talbot’s write-up, the vulnerability does not typically affect Android OS. Instead, it exists due to how mobile carriers implement it. While the app has a standard implementation, Talbot explained that telecom providers often tweak VVMs.
An adversary can gain persistent access to the target users’ VVMs and listen to voice messages.
This vulnerability has received CVE ID CVE-2022-23835. As mentioned in the vulnerability description,
The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.)
Alongside sharing the technical details about the vulnerability, the researcher has also shared the PoC separately.
Despite Talbot’s reports, the telecom providers don’t seem to agree with him. As he mentioned, AT&T and T-Mobile USA called the bug not “concrete and exploitable risk,” following Talbot’s report on HackerOne. The researcher didn’t test the exploit with Verizon Wireless.
Nonetheless, the CERT/CC has issued a detailed advisory in this regard, alerting users. It advises users to delete VVM data quickly, change VVM passwords (if supported), and take measures to prevent SMS interception to avoid the risk.