Users of the Android version of Signal should take care to use the latest version of the software. In the messenger app gaped until recently a security gap, over which attackers Smartphone owners in the worst case can listen unnoticed. This has Natalie Silvanovich of Google's hacker team Project Zero public.
According to the security researcher's report, attackers who knew the problem and knew how to exploit it using a modified app client could initiate a call via Signal, thereby fooling the application into believing that the person being called would have picked it up. Due to the gap, the Android version of the app accepted this approach, unlocked the line and the attacker could overhear his victim.
Only sound was transmitted, it is said, the video camera was not activated. At best, however, the attack promised to be successful if the call recipient did not hear the call or put his device silently.
Signal is protected from version 4.47.7
In the meantime, an app update has been released which has resolved the vulnerability. The protected version of Signal can be recognized by the version number 4.47.7. For safety's sake, Android users should check the Signal app under "Settings / Additional settings" to see if their revised version is already installed on their smartphone. If this is not the case, they should import the new version via Google's Play Store.
On iOS, the gap could not be exploited unlike on Android, writes Natalie Silvanovich. The attempt leads to a problem in the user interface, the call of the attacker is not put through. She recommends the signal makers against this background, but also a revision of the iOS version, writes the security expert.
The gap is a bit reminiscent of a security issue that was affecting iOS users at the beginning of the year. At that time a bug in Apple's video chat software FaceTime became known. The vulnerability had allowed callers to hear a called party even before he answered the call.
