Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The previous two blog posts in this series contained a 0-click exploit to compromise the audio rendering on Android and then a kernel driver on the Pixel to compromise the device. The third and final post is about where to go from here.

The audio parsing 0-click attack surface is a bad one. There are many audio formats with many crappy libraries, giving attackers a good place to look. Natalie recommends removing uncommonly used decoders from the 0-click attack surface, such as Dolby UDC. What's attackable via 0-click or 1-click isn't commonly considered; it's wise to think through these decisions more deeply.

The Dolby UDC bug was found after a single one-week team hackathon. The second kernel bug was found in a single day. The discovery was relatively quick. The driver had multiple bad vulnerabilities. GTIG has detected and reported 16 Android driver vulnerabilities; it appears that the security of these drivers is pretty poor.

The Dolby UDC chain took eight person-weeks, and the BigWave vulnerability took 3 weeks for a basic proof of concept. Given the amount of money threat actors have, this is a very small time commitment to find this issue.

The mitigations are an interesting discussion. On the UDC bug, the seccomp filter was turned off and the binary was not compiled with bounds protections that would have fixed it. Things like MTE wouldn't have helped because of the custom allocator being used. For the kernel bug, the issue along kALSR was made exploitation much easier. They hope that the Pixel and other Android manufacturers will be more like Apple with memory safety features going forward.

The patching for this wasn't great, mainly because of the ecosystem's complexity. The first bug was reported to Dolby in June 2025 and patched in Chrome in Sept 2025. Pixel did not receive Dolby patches until October. Samsung patched in Nov 2025, and Pixel didn't ship fully until Jan 2026. In total, this 0-click exploit took 139 days to patch from disclosure. Dolby thought the exploitability of this bug was low for some reason, by Project Zero believes otherwise.

Just because there's another bug to fully compromise the phone doesn't mean it's not worth patching right away. At least one bug in the full chain, probably the hardest part of the chain, should be patched immediately. The diffusion of responsibility is likely why this took so long to patch. Overall, an amazing series on the real world of exploit development.