According to a late-September bug report from Google’s Project Zero team, an issue with the popular covert messaging app Signal, on Android, allowed any attacker to essentially eavesdrop on a person’s device (via audio, not video).
As Project Zero describes:
“In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when callee device accepts the call when the user selects ‘accept’, and when the caller device receives an incoming “connect” message indicating that the callee has accepted the call.
Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device.
That’s a pretty unfortunate experience for anyone affected, but we have some good news. First up, if you’re an iOS user, the bug doesn’t affect you at all. Second, there’s already a fix for this problem for Android users; you simply have to update the Signal app, if it isn’t already. To do so, hit up the Play Store app on your device, tap the hamburger icon in the upper-left corner, tap on “My apps & games,” and update away.
You’re going to want to make sure you’re running version 4.47.7 of the app, at minimum, which you can check by pulling up Settings, tapping on “Apps & notifications,” tapping on Signal (or See all … apps, if it’s not at the top of the list), tapping on Advanced, and scrolling down to the bottom of the screen to check the app’s version number.