When you hear about a CVE (Common Vulnerabilities and Exposures) report, it's often about a clear, present danger—software bugs or design flaws that open the door for hackers. But not every CVE is black and white. Today, let’s look at CVE-2022-23835, a vulnerability that got the "DISPUTED" tag, making it a bit controversial in the security community. Let’s break down what this issue is, see the code snippet pattern, and discuss whether it’s really a risk for Android users using Visual Voice Mail (VVM).
What Is CVE-2022-23835?
In a nutshell: Some Android versions through 2022-02-24 let attackers who can briefly get their app on your phone—with the READ_SMS permission—steal IMAP login info for your voicemail. With these credentials, they could listen to *all* your voicemails, not just new ones. Here’s the kicker: the SMS with the login info *isn’t* shown to you in regular messaging apps. It stays hidden.
Step 1: Attacker App With READ_SMS
Imagine a shady or hacked app you install (even temporarily) that asks for the READ_SMS permission (common for communication or backup apps).
<uses-permission android:name="android.permission.READ_SMS"/>
Step 2: The Secret SMS
When you set up Visual Voice Mail, your phone gets a secret, machine-formatted SMS. This message contains IMAP login info to fetch your voicemails. The SMS is marked as “invisible,” so you never see it in your messaging app.
But *apps with READ_SMS* permission can see it.
Here’s a Python-like pseudocode of how an attacker app could grab the info
import android
droid = android.Android()
# Get all SMS messages
messages = droid.smsGetMessages(True, 'inbox').result
for msg in messages:
if "vvm" in msg['body'].lower() and "imap" in msg['body'].lower():
print("Found potential VVM credentials:", msg['body'])
# Attacker would extract username/password here
With these credentials, attackers can set up an IMAP client and download all your voicemails.
Step 4: Persistent Attacker Access
Even if you remove the attacker app now, the credentials are already stolen! They can keep accessing your voicemail until you change your phone number, or your provider resets the IMAP password (which typically isn’t easy).
No code runs on the network or leaks directly from VVM, only via permissioned apps.
- IMAP credentials are “least-privilege”—they only allow voicemail access (not full account takeover).
Some consider these SMS not “user data,” but temporary provisioning.
Official statement (paraphrased):
> "This does not represent a concrete and exploitable risk."
READ_SMS is a highly requested permission. Many honest-looking apps may abuse it.
- Once stolen, credentials offer full voicemail history—some may contain private or sensitive info.
Here’s what such a secret SMS might look like (example, not real credentials)
From: +12345
Body: //VVM:STATUS:... imap.mycarrier.com:993|ssl|user123:passwordABC
A malicious app would parse this to create
server = "imap.mycarrier.com"
username = "user123"
password = "passwordABC"
# Now, attacker logs in and downloads your voicemail
Mitigations
- Google has improved how these secret SMS are handled in newer Android versions (i.e., limiting visibility to default SMS apps).
References & Further Reading
- CVE-2022-23835 entry at MITRE
- Android Visual Voice Mail design
- Google Issue Tracker discussion
- NIST National Vulnerability Database
- Related post on VVM by security researcher Jon Sawyer
In Summary
CVE-2022-23835 sits in a gray zone: it *could* let a rogue app steal sensitive voicemail info, but only if you granted it access. Android and provider updates are reducing—but not eliminating—the chance a trusted-looking app could be a thief in disguise.
Timeline
Published on: 02/25/2022 04:15:00 UTC
Last modified on: 03/10/2022 16:38:00 UTC