Login Sign Up

CVE-2022-23835

8.1 HIGH

📋 TL;DR

This vulnerability in Android's Visual Voice Mail (VVM) application allows attackers with temporary control of an app having READ_SMS permission to steal IMAP credentials from SMS messages. These credentials can then be used to access voice mail messages, including historical ones. Android users with VVM applications through February 24, 2022 are affected.

💻 Affected Systems

Products:
  • Android Visual Voice Mail (VVM) application
Versions: All versions through 2022-02-24
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to control an app with READ_SMS permission; some vendors dispute exploitability

📦 What is this software?

Visual Voice Mail by Visual Voice Mail Project

View all CVEs affecting Visual Voice Mail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent access to voice mail accounts, potentially accessing sensitive voice messages including authentication codes, business communications, and personal information.

🟠

Likely Case

Targeted attacks against specific individuals to intercept voice mail messages, potentially for identity theft or corporate espionage.

🟢

If Mitigated

Limited impact if SMS permissions are properly restricted and VVM applications are updated or disabled.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering or malware to gain READ_SMS permission first

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2022-02-24

Vendor Advisory: https://www.kb.cert.org/vuls/id/383864

Restart Required: No

Instructions:

1. Update VVM application to latest version 2. Check for Android system updates 3. Verify VVM app version is post-February 2022

🔧 Temporary Workarounds

Disable VVM application

android

Remove or disable the Visual Voice Mail application

adb shell pm disable-user --user 0 com.android.vvm

Restrict SMS permissions

android

Review and remove READ_SMS permission from unnecessary applications

adb shell pm revoke <package_name> android.permission.READ_SMS

🧯 If You Can't Patch

  • Implement mobile device management (MDM) to control app permissions
  • Monitor for suspicious SMS access patterns and unauthorized credential usage

🔍 How to Verify

Check if Vulnerable:

Check VVM app version date - if before February 2022, likely vulnerable

Check Version:

adb shell dumpsys package com.android.vvm | grep versionName

Verify Fix Applied:

Verify VVM app version is updated to post-February 2022 release

📡 Detection & Monitoring

Log Indicators:

  • Multiple SMS read operations from non-messaging apps
  • Unusual IMAP authentication attempts to voice mail servers

Network Indicators:

  • IMAP connections to voice mail servers from unexpected IPs
  • SMS forwarding to unknown destinations

SIEM Query:

source="android_logs" AND (event="SMS_READ" AND app NOT IN ("com.android.mms", "com.google.android.apps.messaging"))

📊 Metadata

CVE ID: CVE-2022-23835
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-668
Published: February 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23835, you might also want to check these:

CVE-2025-15114 9.8

This critical vulnerability in Ksenia Security Lares 4.0 Home Automation version 1.6 exposes the ala...

Same vulnerability type (CWE-668)
CVE-2021-27236 9.8

This vulnerability in Mutare Voice (EVM) allows unauthenticated attackers to include local files via...

Same vulnerability type (CWE-668)
CVE-2022-24074 9.8

CVE-2022-24074 is a critical vulnerability in Whale Browser's default Whale Bridge extension that al...

Same vulnerability type (CWE-668)