- Google security research, Project Zero has documented one of the most sophisticated attack chains. of recent times aimed at Android firmware.
Los Researchers have demonstrated how it is possible to remotely compromise a Pixel 9 device and without user interaction (zero-click attack) by sending a simple SMS or RCS message with an attached audio file. The seriousness of the discovery lies in the fact that the victim does not need to play the audio; the mere receipt of the message triggers a complete system compromise.
Input vector: Automatic transcription
The gateway for eThis attack lies in the integration of intelligent functions in the operating system. In modern versions of Android, the application Google Messages attempts to automatically generate a transcript of received audio messages. to facilitate text search or accessibility. This process invokes the com.google.android.tts servicewhich, without human intervention, processes the multimedia file using the system's codecs. This is where the Attackers found a critical crack: a vulnerability in the Dolby library Unified Decoder (UDC), identified as CVE-2025-54957.
El The technical fault lies in the memory management of that library, specifically in how it processes Extensible Metadata Delivery Formats (EMDF) dwithin the Dolby Digital Plus audio streamsThe decoder suffers from an overflow when calculating the buffer size needed for data structures. This mathematical operation is incorrect. allows overwriting the pointer used to process the next synchronization frame. By manipulating this pointer, An attacker can redirect write operations from the decoder to arbitrary memory areas, finally overwriting function pointers with controlled data and achieving code execution.
Exploit Engineering: Overcoming ASLR and Scudo
The researchers mention that turning this overflow into a working exploit required extremely complex software engineering to bypass modern Android protections, such as Address Space Arrangement Randomization (ASLR) and the Scudo memory allocator. Researchers discovered that the "evo pile" (evo heap) used by the decoder is a monolithic structure that It restarts with each frameTo achieve stable writing, they had to manipulate the memory layout by forcing the Scudo allocator to move the "dynamic buffer".
The technique It involved deliberately corrupting the headers of the memory fragments (chunks) from Scudo. By modifying the perceived size of a released chunk and forcing a subsequent reassignment through sequential decoding of multiple audio files, lThey managed to move the data structures in memoryThis created the necessary space to insert a malicious EMDF container just before a critical memory header. Through a series of write primitives called "WRITE DYNAMIC" and "WRITE STATIC," the exploit manages to overwrite specific function pointers in the decoder's static buffer.
However, Achieving arbitrary code execution presented an additional challenge due to the restrictions of SELinux, that prevent the codec process from making its own memory executable or loading external libraries. The researchers' creative solution was to use return-oriented programming (ROP) to invoke the pwrite function and write the malicious code directly. This It allows a process to modify itself, bypassing standard write and execute protections. Due to the randomness of ASLR, the exploit has a success rate of approximately one in 255 attempts, which is feasible given that the process automatically restarts after a failure, allowing the attacker to retry until successful within minutes.
Privilege escalation: From codec to kernel
Once the attacker has control over the mediacodec process, The next step is to gain full control of the device.. For that, A second vulnerability was exploited. (CVE-2025-36934) in the Bigwave driver of the Linux kernel. This driver manages a character device accessible from the context of the multimedia codec. The vulnerability It allowed overwriting kernel structures by manipulating an ioctl call Specifically, it elevates the attacker's privileges from a restricted user to the kernel level.
It is noteworthy that This climbing route was possible on the Pixel 9 due to the absence of a system call filter (seccomp) restrictive in Google's firmware for codec processing. In contrast, devices like the Samsung S24 applied filters that, while sharing the Dolby decoder vulnerability, blocked access to the vulnerable kernel driver, mitigating the entire attack chain.
Impact on the ecosystem and response times
This incident underscores the complexity of the mobile software supply chain. The vulnerability in the Dolby decoder is not exclusive to AndroidIt also affects Windows, ChromeOS, and Apple devices. However, in Apple ecosystems (macOS and iOS), the exploit is neutralized by compiling libraries with the -fbounds-safety flag, which introduces additional boundary checks.
The management of the correction also revealed significant discrepancies. While the vulnerability was discovered and reported to Dolby in mid-2025, The patch took 139 days to reach all end users of AndroidBinary patches for the Android ecosystem were not available until October, and the final fix for Pixel devices was only rolled out in January 2026, leaving a considerable window of exposure for a vulnerability of this magnitude.
If you are interested in learning more, you can find the details at the following link.