Four of the 18 reported vulnerabilities are critical and could let cyber criminals hack smartphones remotely, with only the help of the user's phone number.
Tim Willis, head of Project Zero, said tests conducted by the company confirmed that those four vulnerabilities allow a hacker to “remotely compromise a phone at the baseband level with no user interaction”.
“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,” Mr Willis said.
However, the report revealed, the 14 other vulnerabilities are not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.
Affected mobile devices include South Korean company Samsung’s S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series phones.
Other devices include Chinese brand Vivo's, S16, S15, S6, X70, X60 and X30 series phones; Google’s Pixel 6 and Pixel 7 series phones; and any vehicles that use the Exynos Auto T5123 chipset.
Under its standard disclosure policy, Project Zero discloses security vulnerabilities to the public a set time after reporting them to a software or hardware vendor.
What will be the patch timeline?
It’s still not clear.
Project Zero researchers expect that patch timelines will vary per manufacturer. For example, affected Pixel devices have already received a security update this month. Although Google has already patched the issues for Pixel 7 series phones, the update has not reached the Pixel 6 series phones yet.
In the meantime, Google recommends that users with affected devices can protect themselves from the vulnerabilities by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. VoLTE is how phones and carriers transmit our voices during a call.
“We encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities,” Mr Willis said.
Samsung, which was the largest smartphone manufacturer last year, and other vendors have yet to resolve the issues affecting the Exynos chips.
In September last year, Samsung said it suffered a cyber security breach in July that exposed the personal information of some customers in the US.