CVE-2022-23835

Name of the Vulnerable Software and Affected Versions Visual Voice Mail (VVM) application through 2022-02-24 for Android

Description The issue is related to insufficient protection of service data in the Visual Voice Mail (VVM) application for Android. An attacker can exploit this by temporarily controlling an application with the READ SMS permission and reading an IMAP credentialing message not displayed to the victim within the AOSP SMS/MMS messaging application. This can allow the attacker to gain unauthorized access to protected information, including listening to voice mail messages sent before and after the exploitation.

Recommendations For Visual Voice Mail (VVM) application through 2022-02-24 for Android, consider disabling the application's access to the READ SMS permission as a temporary workaround until a patch is available. Restrict access to the IMAP credentialing message to minimize the risk of exploitation. Avoid using applications with the READ SMS permission to prevent potential attackers from intercepting VVM IMAP credentials sent in plain text via SMS.