Mitigating 0-Click Dolby Decoder Vulnerabilities in Google Messages

Introduction

As mobile operating systems integrate more AI-powered features to enhance user productivity, the attack surface for cyber threats expands. One such feature is the automatic transcription of audio messages in apps like Google Messages. While convenient, this functionality requires media files to be decoded and processed before the user ever interacts with the message.

Recent research from Google Project Zero has uncovered a critical security issue within this mechanism. Specifically, vulnerabilities in the Dolby Unified Decoder—used to process incoming audio attachments—can be exploited via a 0-click attack vector. For defenders, this represents a high-risk scenario: an attacker can execute arbitrary code on a device simply by sending a malicious audio file, with no user interaction required. This post details the vulnerability, its technical implications, and the steps security teams must take to secure their mobile fleets.

Technical Analysis

The vulnerability stems from the integration of the Dolby Unified Decoder into the Android media framework, which is leveraged by Google Messages for auto-transcription. When an audio file is received via SMS or RCS, the app attempts to decode the file to generate a text preview. This process occurs automatically in the background.

Research indicates that the Dolby Unified Decoder contains memory safety vulnerabilities (such as heap overflow or use-after-free) that can be triggered by specially crafted audio files. Because the decoding happens prior to user interaction, this falls strictly into the 0-click attack surface category.

• Affected Products: Google Pixel devices and other Android smartphones utilizing the Dolby Unified Decoder and Google Messages.
• Severity: Critical (Remote Code Execution without user interaction).
• CVE Reference: While the specific CVE for the Dolby issue is pending full disclosure in this series, previous related research includes CVE-2025-49415 in the Monkey’s Audio codec.
• Patch Status: Google typically addresses these deep framework vulnerabilities in monthly Pixel Security Bulletins. IT teams must ensure devices are updated to the latest patches that include fixes for the media framework.

Defensive Monitoring

Detecting 0-click exploits is challenging because there is no user action (like a click or download) to trigger a heuristic alert. However, defenders can monitor for the post-exploitation behaviors that typically follow a successful exploit, such as the messaging app spawning unusual child processes or establishing unexpected network connections.

SIGMA Rules

The following SIGMA rules can be used to detect suspicious behavior originating from the Google Messages application on Android endpoints sending logs to a SIEM.

---
title: Google Messages Spawning Suspicious Child Process
id: 8f4d2a1c-3b6e-4a7f-9c1d-2e3b4a5c6d7f
status: experimental
description: Detects Google Messages spawning a shell or other suspicious process, indicating potential 0-click exploit activity.
references:
  - https://projectzero.google/2026/01/pixel-0-click-part-1.html
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: android
detection:
  selection:
    ParentImage|endswith: '/com.google.android.apps.messaging'
    Image|contains:
      - '/sh'
      - '/bin'
      - '/su'
  condition: selection
falsepositives:
  - Legitimate debugging or rare automation interactions
level: critical
---
title: Google Messages Writing Executable File
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Google Messages writing files with executable extensions or to system directories, which may indicate payload writing.
references:
  - https://projectzero.google/2026/01/pixel-0-click-part-1.html
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: file_event
  product: android
detection:
  selection:
    Image|endswith: '/com.google.android.apps.messaging'
    TargetFilename|endswith:
      - '.so'
      - '.sh'
      - '.bin'
  condition: selection
falsepositives:
  - Legitimate media cache writes (rarely use these extensions)
level: high

KQL (Microsoft Sentinel/Defender)

Use these KQL queries in Microsoft Sentinel or Defender for Endpoint to hunt for indicators of compromise (IoC) related to this vulnerability.

// Hunt for suspicious process creation by Google Messages
DeviceProcessEvents
| where InitiatingProcessFolderPath endswith "com.google.android.apps.messaging"
| where ProcessVersionInfoOriginalFileName in ("sh", "dash", "su") or ProcessFolderPath contains "/data/local/tmp"
| project Timestamp, DeviceName, InitiatingProcessFolderPath, ProcessCommandLine, ProcessFolderPath
| order by Timestamp desc

// Hunt for unusual network connections from Messages
DeviceNetworkEvents
| where InitiatingProcessFolderPath endswith "com.google.android.apps.messaging"
| where RemoteUrl contains ".onion" or RemotePort in (4444, 5555, 6666)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFolderPath
| order by Timestamp desc

Velociraptor VQL

These Velociraptor VQL hunts can be deployed to Android endpoints to check for the existence of vulnerable packages or suspicious process ancestry.

-- Check Google Messages Version and Patch Level
SELECT Name, VersionName, LastUpdateTime, ApplicationInfo.uid
FROM android_packages()
WHERE Name = 'com.google.android.apps.messaging'

-- Hunt for suspicious parent-child relationships
SELECT Parent.Pid AS ParentPid, Parent.Name AS ParentName, Child.Pid AS ChildPid, Child.Name AS ChildName, Child.CommandLine
FROM chain(
    parent={SELECT Pid, Name, Exe FROM pslist() WHERE Name =~ 'com.google.android.apps.messaging'},
    child={SELECT Pid, Ppid, Name, Exe, CommandLine FROM pslist()}
)
WHERE Child.Name =~ 'sh' OR Child.Name =~ 'su'

Remediation Scripts

Bash (via ADB for fleet verification)

This script can be used during mobile device management (MDM) auditing or provisioning to verify the security patch level of connected devices.

#!/bin/bash

# Check Security Patch Level
PATCH_LEVEL=$(adb shell getprop ro.build.version.security_patch)

echo "Checking Device Security Patch Level..."
echo "Current Patch Level: $PATCH_LEVEL"

# Define the safe patch date (Adjust based on specific Google release fixing the Dolby issue)
SAFE_PATCH="2026-01-05"

if [[ "$PATCH_LEVEL" > "$SAFE_PATCH" ]]; then
    echo "[PASS] Device is patched against known Dolby decoder issues."
    exit 0
else
    echo "[WARNING] Device may be vulnerable. Current patch ($PATCH_LEVEL) is older than recommended ($SAFE_PATCH)."
    exit 1
fi

Remediation

To protect your organization against this and similar 0-click threats:

1. Patch Immediately: Ensure all Android devices, specifically Google Pixels, are updated to the latest monthly security bulletin. Verify that the patch includes fixes for the "Framework" and "Media Framework" components.
2. Update Google Messages: Enforce updates for the Google Messages app via the Google Play Store. Ensure all devices are running the latest version which may contain additional runtime hardening.
3. Disable Auto-Transcription (If Policy Permits): If the risk tolerance for your organization is low, consider disabling automatic transcription features in Google Messages. This removes the pre-viewing decode trigger, effectively re-introducing user interaction as a security boundary.
4. Deploy Mobile Threat Defense (MTD): Utilize MTD solutions (like Microsoft Defender for Endpoint or specialized Android EDRs) that can detect anomalous process behavior and memory corruption attempts in real-time.
5. Network Segmentation: Ensure mobile devices are isolated from critical internal network segments. Even if a device is compromised via a 0-click exploit, lateral movement should be restricted.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub