Signal fixed today a bug that could have allowed attackers to eavesdrop on victims by placing and then immediately auto-answering a call, without the callee’s permission.
The bug is reminiscent of Apple’s FaceTime bug discovered in January, which similarly allowed attackers to eavesdrop on other iPhone users by placing and auto-approving a FaceTime audio or video call.
This time, the bug only works via Signal audio calls, and not video, as the Signal app requires users to manually enable camera access in all calls.
Only the Signal app on Android is impacted.
“The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states,” said Natalie Silvanovich, a security researcher with Google’s Project Zero team, and the one who uncovered the issue.
But on Android, Silvanovich said that an attacker could use a modified version of the Signal app to initiate a call, and then press their own Mute button to approve the current call on the callee’s side.
The bug ocurrs in the “ringing” stage of a call. Attackers can press the Mute button very quickly and avoid a long ring that may alert victims.
The Signal app supports end-to-end encrypted communications and is a favorite among journalists, political figures, dissidents, businesspeople, security researchers, and many other high-profile figures.
Being able to spy on any of these figures could be an advantage for many types of threat actor groups, from nation-state actors to cyber-criminals.
Silvanovich said the bug was fixed today. Signal for Android version 4.48.13 was released earlier on GitHub, but this release doesn’t appear to have reached the Google Play Store, where the last update dates back to September 28, 2019.