Silent Attack: How Your Phone's AI Audio Features Opened a Zero-Click Door to Pixel 9

Executive Summary

A new research series from Google Project Zero has surfaced a chilling consequence of the AI feature race in mobile computing: the same automated intelligence that makes your phone smarter is quietly expanding the attack surface available to adversaries who never need you to tap, swipe, or open a single message. The research — covering CVE-2025-49415 in Samsung's Monkey's Audio codec and CVE-2025-54957 in the Dolby Unified Decoder — demonstrates that audio decoders invoked automatically by Google Messages' transcription pipeline are now firmly in the zero-click attack surface of the majority of Android devices, including Google's own Pixel 9 series. Security teams responsible for enterprise Android fleets, mobile device management platforms, and consumer-facing application security should treat this research as a category-level warning, not an isolated bug report.

This first installment of Project Zero's multi-part series focuses on the architectural shift that made these vulnerabilities possible and the specific mechanics of the Dolby Unified Decoder flaw discovered by researcher Ivan Fra alongside the team's broader codec audit. The implications extend well beyond the named CVEs: the pattern of pulling complex, legacy media-parsing code into zero-click processing pipelines is systemic across the Android ecosystem, and the researchers make clear that this is the beginning of a larger body of findings. Security decision-makers who dismiss this as a Pixel-specific patch event will miss the structural lesson embedded in the research.

Technical Analysis

The root cause of this vulnerability class is deceptively straightforward: Google Messages' audio transcription feature processes incoming SMS and RCS audio attachments automatically and entirely without user interaction. This is a deliberate product decision — transcription must happen before a message is opened so that a summary or searchable transcript is ready when the user glances at their notification. The side effect is that any audio file delivered to the device triggers the full audio decoding stack with no gatekeeping by the user whatsoever. An attacker who can send a malformed audio file to a target's phone number or RCS address has a direct, automated invocation of the decoder — no social engineering required.

Project Zero's audit began with CVE-2025-49415, a memory corruption vulnerability identified in the Monkey's Audio (APE) codec implementation on Samsung devices. Monkey's Audio is a lossless audio compression format with a notoriously complex bitstream parser — a category of code historically prone to integer arithmetic errors and boundary miscalculations when processing malformed input. The Samsung-specific implementation contained a flaw that could be triggered by a crafted .ape file delivered via the messaging pipeline, resulting in exploitable memory corruption at the decoder layer, before any user-visible action occurs.

Building on that initial finding, the Project Zero team broadened their audit to the Dolby Unified Decoder, a component present across a wide range of Android devices including the Pixel 9 lineup. The Dolby decoder handles multiple audio formats under a unified parsing architecture, which — while efficient from an engineering standpoint — concentrates risk: a single vulnerability in the shared parsing layer potentially affects all formats routed through it. CVE-2025-54957 identifies such a flaw. While full technical exploitation details are being responsibly staged across the multi-part series, the Project Zero disclosure confirms the vulnerability is reachable via the same zero-click pathway: a crafted audio attachment delivered through Google Messages triggers the Dolby Unified Decoder without user interaction, and the flaw produces conditions consistent with a working exploit chain on Pixel 9 hardware.

The attack chain architecture follows a pattern well-known to mobile exploit researchers: attacker-controlled input → automatic pipeline invocation → vulnerable native code execution → memory corruption → privilege escalation. The zero-click nature of the entry point is what elevates this from a concerning bug to a high-severity exploit primitive. Native audio decoders typically run in sandboxed processes, but achieving code execution in a sandboxed context is the first stage of a multi-step chain — subsequent stages targeting sandbox escapes and privilege escalation have been well-documented in prior mobile exploit research.

Impact Assessment

The immediate impact scope includes Google Pixel 9 series devices running affected software versions (addressed in the relevant Android Security Bulletin patches), as well as Samsung devices carrying the vulnerable Monkey's Audio implementation. However, the broader impact assessment must account for the ecosystem-level reality: the Dolby Unified Decoder is licensed to and deployed across dozens of Android OEMs. Any device that uses the Dolby decoder stack and has Google Messages' transcription feature active should be considered potentially in-scope until individual OEM patch status is confirmed.

In real-world consequence terms, a successful zero-click exploit chain of this nature would enable an attacker to achieve code execution on the target device with no indication to the user. There is no notification that a message triggered decoder activity, no suspicious prompt, and no opportunity for a security-conscious user to intervene. For high-value targets — executives, journalists, government officials, or anyone subject to targeted mobile surveillance — this represents exactly the class of vulnerability deployed by commercial spyware vendors. The Project Zero team's framing of this as an exploit chain suggests that decoder-level code execution is being treated as a launchpad, not the end goal.

CypherByte Perspective

This research crystallizes a tension that will define mobile security for the next several years: AI-powered convenience features and zero-click attack surface grow together. Every automated processing pipeline added to make a phone smarter is, from a security architecture standpoint, a new pathway that bypasses the only reliable security control most mobile users have — their own decision not to interact with suspicious content. When transcription, summarization, and on-device AI analysis all require pre-emptive decoding of untrusted input, the attack surface expands in proportion to the feature set. The industry has not yet developed a mature framework for auditing this expanded surface before features ship.

CypherByte assesses that this is not a Google-specific or Pixel-specific problem. Every major mobile platform is racing to deploy similar AI-adjacent automatic processing features. Apple's notification summaries, on-device media intelligence, and similar pipelines on iOS create structurally identical risks — and are equally dependent on the security quality of underlying media parsing libraries, many of which carry decades of technical debt. The Project Zero findings should prompt every mobile platform security team to conduct an immediate audit of what native code is being invoked automatically, on untrusted input, before any user interaction occurs.

Indicators and Detection

Detection of active exploitation of zero-click audio decoder vulnerabilities is genuinely difficult — by design, there is no user-visible event to correlate against. However, defenders operating mobile device management platforms or endpoint telemetry on Android fleets should monitor for the following indicators of compromise and anomalous behavior patterns:

Process anomalies: Unexpected child processes spawned from com.google.android.apps.messaging or the associated media decoder service processes. Any network connection initiated from decoder sandbox processes warrants immediate investigation. Memory telemetry: Crash reports or tombstone files (/data/tombstones/) referencing Dolby decoder libraries (libdolby*.so) or APE decoder components on Samsung devices — particularly if correlated with receipt of an audio message the user did not open. File system artifacts: Unexpected .ape, .ac3, .eac3, or .mlp format files staged in application cache directories associated with Google Messages. Network indicators: Post-exploitation C2 traffic is device- and payload-specific, but any anomalous outbound connection from a device with no corresponding user-initiated application activity should be treated as a priority alert in high-risk environments.

Recommendations

1. Patch immediately and verify OEM patch status. Apply the Android Security Bulletin patches addressing CVE-2025-49415 and CVE-2025-54957 across all managed Pixel and Samsung devices. For devices from other OEMs deploying the Dolby Unified Decoder, actively track vendor advisories — do not assume patch equivalence across OEMs without confirmation.

2. Audit automatic processing pipelines in your mobile application portfolio. If your organization develops or deploys mobile applications that automatically process untrusted media — audio, video, image, or document — conduct an architectural review of what native parsing code is invoked without user interaction. Engage your mobile security team or a third-party assessor to fuzz these pathways.

3. Evaluate AI transcription feature exposure for high-risk users. For executive protection programs, legal teams, or any personnel who may be targeted by sophisticated threat actors, evaluate whether automatic audio transcription in Google Messages should be disabled via MDM policy until the full exploit chain scope is publicly disclosed across all parts of the Project Zero series.

4. Implement enhanced telemetry on Android endpoints. Deploy or configure mobile threat defense tooling to alert on decoder process anomalies, unexpected application crashes in media-handling services, and outbound network activity from sandboxed processes. Treat crash telemetry from media decoders as a security signal, not just a quality signal.

5. Follow the full Project Zero series. This is Part 1 of a multi-part disclosure. The complete exploit chain — including sandbox escape and privilege escalation stages — has not yet been fully published. Security teams should subscribe to Project Zero's blog and be prepared to act on additional findings as subsequent parts of the series are released.

Source credit: This analysis is based on original research published by Google Project Zero. Full technical details and researcher attribution are available at the Project Zero Blog. CypherByte's analysis represents independent assessment and contextualization of that research for enterprise security practitioners.