TL;DR
['New exploit chain for Google Pixel 9 identified, focusing on audio processing vulnerabilities within the Dolby UDC and Google Messages app. Recommends increased scrutiny of third-party services and processes handling user data.']
What happened
["Google Project Zero has uncovered a new 0-click exploit chain targeting the Pixel 9 that leverages the Dolby UDC and the Google Messages application's audio transcription feature to gain unauthorized access without user interaction. The com.google.android.tts service, involved in decoding audio messages, is also implicated."]
Why it matters for ops
['Operators need to be aware of the expanded attack surface presented by third-party services and processes handling sensitive data automatically. This includes the risk posed by audio message transcription features which may expose users to unauthorized access without interaction.']
Mitigation
- Disable automatic transcription features in messaging apps
- Monitor and restrict access to third-party processes handling sensitive data
- Implement strict security controls around audio processing components
Action items
- Review existing mitigation strategies for zero-click attacks
- Update policies regarding the use of third-party services that handle user data
- Conduct a thorough review of all processes involved in automatic data handling on Android devices
Detection IOCs
- Unusual network traffic from Google Messages or com.google.android.tts services
- Unexpected decoding of audio files on Pixel devices
Source link
https://projectzero.google/2026/01/pixel-0-click-part-3.html