With the release of version 4.47.7, Signal developers for Android fixed a bug in the messenger, which is very similar to the vulnerability found in FaceTime at the beginning of this year. Let me remind you that the bug that caused Apple to urgently disconnect FaceTime group calls allowed the caller to access other people's microphone and camera, even if they didn’t answer the call at all. In fact, the vulnerability could be used to eavesdrop on users without their knowledge.
Now a practically similar problem (CVE-2019-17191) was detected in Signal for Android, but it only applied to voice calls, without affecting video calls (since the camera must be turned on manually each time). Vulnerability revealed Google Project Zero Specialist Natalie Silvanovich. She writes that a similar logical error is present in the client for iOS, but in this case the call cannot be made due to an error in the UI.
In the case of Android, an attacker could use a modified version of the Signal application to initiate a call, and then click on his own “Mute” button to accept the current call on the side of the called party. If the attackers manage to quickly press the mute button, the attack may go almost unnoticed, as this will help to avoid a long call that can notify the victim about what is happening.
However, the developers note that in any case, the user could see visible signs that the call was made, for example, at the top of the list of completed calls there will be a record of the call made, and immediately during the call you will see on the screen that the call is being made.