Signal and Facebook Messenger let hackers spy on you: What to do

The Facebook Messenger, Signal, WhatsApp and Facebook app icons on the screen of an Android phone.
(Image credit: Michele Ursi/Shutterstock)

Signal, Facebook Messenger, Google Duo and two other video-conferencing and chat apps, JioChat and Mocha, could have let eavesdroppers listen in on Android users, a Google researcher has revealed. 

The flaws would let a call connect to a receiving device without alerting the receiving device's user in any way, quietly opening up an audio, and sometimes a video, stream back to the calling device. The flaws have all been patched, so make sure you update the apps on your Android devices.

"Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection," Silvanovich wrote in a Google Project Zero blog post

"However, when I looked at real applications they enabled transmission in many different ways," she added. "Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee."

The Signal flaw was fixed in the service's Android app in September 2019, and it's unlikely that many Signal users would still be vulnerable. The Signal iOS app was not affected only because a second, unrelated flaw prevented the secret call from completing, Silvanovich wrote in her bug report .

The other four Android apps were patched more recently: JioChat (widely used in India) in July 2020, Mocha (widely used in Vietnam) in August, Facebook Messenger in November and Google Duo in December 2020. If you use any of these apps, make sure they're up-to-date.

More problems likely still out there

Silvanovich wrote that she also examined Telegram and Viber, two other widely used encrypted-messaging apps, but found no issues with calls being connected without the call receiver's knowledge. In November 2018, she disclosed a similar flaw in the Android and iOS versions of WhatsApp that was quickly fixed.

However, Silvanovich pointed out that she looked only at one-to-one calling functions. 

"I did not look at any group calling features of these applications," she wrote. "This is an area for future work that could reveal additional problems."

Silvanovich's research into these messenger apps follows on a similar flaw in Apple FaceTime on iOS and macOS that was discovered in January 2019.

"The vulnerability was a logic bug in the FaceTime calling state machine" — the part of the app that determines whether a call is connected or not — "that could be exercised using only the user interface of the device," Silvanovich wrote. 

"The fact that such a serious and easy-to-reach vulnerability had occurred," she added, "made me wonder whether other state machines had similar vulnerabilities as well."

Silvanovich focused on Android apps in this particular instance, likely because it's easier to examine their code than those of iOS apps. But as the FaceTime, WhatsApp and Signal instances show, iOS messaging apps are not immune to these flaws.

Asked by a Twitter user why she did not examine the Threema encrypted messenger, predominantly used by German speakers, Silvanovich replied that "I looked at apps with 10M+ installs on Google Play that accept incoming calls."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • SteveO63
    admin said:
    Signal, Facebook Messenger, Google Duo and two other messaging apps had flaws that let audio and video calls connect without the call receiver's knowledge, a Google researcher revealed.

    Signal and Facebook Messenger let hackers spy on you: What to do : Read more

    This is quite outdated - 2019 news. Long since patched. You guys can do better than that.
    Reply
  • mikaelarhelger
    Nonsense; To read an article like this is nothing more than irritating and of poor taste (referring to Signal which IMHO is flawless when in comes to security).
    Reply
  • IdiotMedia
    I used to have respect for tomsguide.com. After reading this article which was so abhorrently click-bait to incite fear about personal privacy in an app that many people are now using for personal protection is such a slimy indecent moral. Shame on you tomsguide.com, shame on you personally Paul Wagenseil.
    Reply
  • Jacob777
    This was a good article I didn't know that signal had these flaws. I thought it was a safe app. I don't really trust any of these tech companies. I think they are all owed by the same group's of <<Content removed by moderator>>
    Reply
  • IdiotMedia
    Jacob777 said:
    This was a good article I didn't know that signal had these flaws. I thought it was a safe app. I don't really trust any of these tech companies. I think they are all owed by the same group's of mofo's
    Check sources, the flaw was solved in 2019. It is a click bait article.
    Reply