Android Dolby Vulnerability: Zero-Click Hack Risk

by priyanka.patel tech editor

Critical Android Zero-Click Hack Exploited Dolby Audio, Patched in January 2026 Update

A critical security vulnerability within Android’s Dolby audio system allowed attackers to potentially gain control of devices without any user interaction, a so-called “zero-click” exploit. Google addressed the flaw with a security update released in January 2026, following a first correction for Pixel devices in December.

The vulnerability resided within the Dolby Digital Plus (DD+)-Decoder, a component found not only in Android but also in Windows, macOS, and iOS. According to security researchers, a specially crafted audio file could trigger an integer overflow, leading to memory corruption and an “Out-of-Bounds Write.” This meant simply receiving a malicious audio file – such as a voice message – could be enough to compromise a device.

“The big danger is that Android often processes incoming audio files automatically in the background,” one analyst noted. This automatic processing is what enabled the zero-click nature of the attack, meaning users didn’t need to open or interact with the file in any way to be vulnerable.

Millions of devices were potentially affected, with the vulnerability – identified as CVE-2025-54957 – impacting the Dolby Unified Decoder in versions 4.5 to 4.13. Google researchers successfully demonstrated crashes on devices including the Pixel 9 and Samsung Galaxy S24. While Dolby initially assessed the threat as “moderate,” Google and other cybersecurity authorities deemed it critical, prompting the Belgian safety authorities to temporarily advise deactivation of the RCS Intelligence Service to mitigate risk.

January Update Delivers Critical Fix

Google has now released a security update for January 2026 that resolves the vulnerability. Experts are urging all Android users to install the update immediately, with distribution rolling out first to Pixel devices and then to other manufacturers’ models.

The affected component is the Dolby Unified Decoder (UDC), and the attack vector involved a manipulated DD+ audio file. No user action was required for a successful exploit.

A Recurring Threat: Media Files as Attack Vectors

This vulnerability echoes past Android security issues, such as the infamous “Stagefright” flaw. Complex media formats are inherently prone to errors, providing attackers with potential entry points. Because decoders are deeply integrated into the operating system, vulnerabilities within them can have severe consequences.

The increasing trend towards automatic background processing expands the attack surface for greater convenience, but simultaneously increases the risk of zero-click attacks. These attacks are particularly dangerous because they can remain undetected, requiring no visible interaction from the victim.

Future Security Measures

Looking ahead, manufacturers need to prioritize better isolation of media processing components and implement more robust memory checks. For users, the advice remains consistent: install updates promptly and exercise caution with files from unknown senders.

A company release stated that the vulnerability highlights the need for continuous vigilance in the face of evolving cyber threats.

For Android users seeking to bolster their security, a free guide is available that details five key measures to limit automatic media processing, configure RCS and Messenger safely, block automatic downloads, and ensure proper system patching. The guide includes a practical checklist and clear instructions for quick implementation. [Download free security package: 5 protective measures for Android](link to guide – placeholder).

The incident serves as a stark reminder that media files remain a significant security risk, and proactive measures are essential to protect against emerging threats.

You may also like

Leave a Comment