Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.
I’ve spent a fair bit of time investigating these decoders, first reporting CVE-2025-49415 in the Monkey’s Audio codec on Samsung devices. Based on this research, the team reviewed the Dolby Unified Decoder, and Ivan Fratric and I reported CVE-2025-54957. This vulnerability is likely in the 0-click attack surface of most Android devices in use today. In parallel, Seth Jenkins investigated a driver accessible from the sandbox the decoder runs in on a Pixel 9, and reported CVE-2025-36934.
GrapheneOS is the way to go.
A couple months after paying off my 7 Pro the screen assembly fell off, likely due to a dodgy repair the year before. Device protection saved my ass and I received a new (refurbished) replacement. Installed GOS so fast. This will hopefully last several years after which I will look elsewhere for a new phone.
Those Project Zero folks are phenomenal.
Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction
I wonder if lockdown mode disable this. We’ll probably know with article 3.
so get a pixel 8 for now right?
