Vulnerability in Signal messenger allows spying on users

In the Android version of the Signal secure messenger has been identified a logical error that allows spying on users.

With the vulnerability, criminals can initiate a call and automatically answer it without the consent of the user. In other words, with the help of a bug, you can turn on the microphone on the device and listen to ongoing conversations.

“There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up”, — write in Google Project Zero.

The problem is similar to a bug discovered earlier this year in the Apple FaceTime function in iOS, which also made it possible to hear sound and see video from the interlocutor’s device before he answers the call.

The vulnerability in Signal discovered by Natalie Silvanovich, a specialist in the Google Project Zero team, is associated with the handleCallConnected method, which is responsible for the final connection of the call.

“In a normal situation, a [handleCallConnected] call occurs in two cases: when the called device accepts the call when the user selects‘ accept ’, or when the calling device receives a‘ connect ’message if the called party receives the call. Using a modified client, it is possible to send a ‘connect’ message to the called device during a call, but before the user receives it. Thus, the call will be accepted even without user intervention”, – writes Silvanovich.

As noted, the vulnerability only works with audio calls and this method is not suitable for video calls, because in the Signal application users need to manually turn on the camera.

Read also: 0-day vulnerability in Android threatens smartphones Pixel, Samsung, Huawei and Xiaomi

Despite the fact that a similar problem exists in the iOS version of the messenger, only users of the Android version are at risk, since the call fails in the iOS client due to an error in the user interface.

Application developers were informed about the problem and fixed it several hours after the report of the researcher. A fixed version of Signal for Android (4.48.13) is available on GitHub.