• Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. • One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. • One such feature is audio transcription. • Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. • As a result, audio decoders are now in the 0-click attack surface of most Android phones. • Iâve spent a fair bit of time investigating these decoders, first reporting CVE-2025-49415 in the Monkeyâs Audio codec on Samsung devices.
Article Summaries:
- Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones. Iâve spent a fair bit of
- While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement. Audio Attack Surface The Dolby UDC is part of the 0-click attack surface of most Android devices because of audio transcription in the Google Messages application. Incoming audio messages are transcribed before a user interacts with t
Sources: