Whisper Systems

Signal fixed today a bug that could have allowed attackers to eavesdrop on victims by placing and then immediately auto-answering a call, without the callee's permission.

The bug is reminiscent of Apple's FaceTime bug discovered in January, which similarly allowed attackers to eavesdrop on other iPhone users by placing and auto-approving a FaceTime audio or video call.

This time, the bug only works via Signal audio calls, and not video, as the Signal app requires users to manually enable camera access in all calls.

Only the Signal app on Android is impacted.

"The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states," said Natalie Silvanovich, a security researcher with Google's Project Zero team, and the one who uncovered the issue.

But on Android, Silvanovich said that an attacker could use a modified version of the Signal app to initiate a call, and then press their own Mute button to approve the current call on the callee's side.

The bug occurs in the "ringing" stage of a call. Attackers can press the Mute button very quickly and avoid a long ring that may alert victims.

You can send the signal quickly, so it doesn’t have to ring for very long — Natalie Silvanovich (@natashenka) October 4, 2019

"Even if the call was answered quickly, users would see a visible indication that a call was in progress," a Signal spokeserson told ZDNet. "There would also always be a record of the completed call at the top of your conversation list."

The Signal app supports end-to-end encrypted communications and is a favorite among journalists, political figures, dissidents, businesspeople, security researchers, and many other high-profile figures.

Being able to spy on any of these figures could be an advantage for many types of threat actor groups, from nation-state actors to cyber-criminals.

A Signal spokesperson said the bug was fixed in version 4.47.7, released last week, on the same day Silvanovich reported it.

Updated with information about the patched version and comment from a Signal spokesperson.