A 0-click exploit chain for the Pixel 9 (Project Zero)

The Project Zero blog has athree-part series describing a working, zero-click exploit forPixel9 devices.

Over the past few years, several AI-powered features have beenadded to mobile phones that allow users to better search andunderstand their messages. One effect of this change is increased0-click attack surface, as efficient analysis often requiresmessage media to be decoded before the message is opened by theuser. One such feature is audio transcription. Incoming SMS and RCSaudio attachments received by Google Messages are now automaticallydecoded with no user interaction. As a result, audio decoders arenow in the 0-click attack surface of most Android phones.

The blog entry does not question the wisdom of directly exposing audiodecoders to external attackers, but it does provide a lot of detail showinghow it can go wrong. The first part looks at compromising the codec; parttwo extends the exploit to the kernel, and partthree looks at the implications:

It is alarming that it took 139 days for a vulnerabilityexploitable in a 0-click context to get patched on any Androiddevice, and it took Pixel 54 days longer. The vulnerability waspublic for 82 days before it was patched by Pixel.