In early 2023, a Korean developer introduced the “Pixel IMS” app, a tool designed to empower Pixel users by enabling VoLTE and VoWiFi on unsupported carriers. This innovation proved particularly beneficial for individuals who imported Pixel devices into regions where these features were not natively supported. However, a recent update from Google has disrupted this functionality, leaving many users disheartened. Fortunately, a new workaround has emerged, allowing users to regain access to these essential calling features.
Don’t want to miss the best from Android Authority?
How Google tried to stop Pixel users from enabling VoLTE everywhere, and why it failed
Last week, Google rolled out the October 2025 update for Pixel phones, addressing various display and user interface issues. While the accompanying security bulletin did not highlight any vulnerabilities, it discreetly included a patch that closed the loophole exploited by the Pixel IMS app. This update resulted in the app crashing whenever users attempted to toggle VoLTE or VoWiFi, with error logs indicating that the internal API overrideConfig could not be invoked by the shell user.
The overrideConfig API is a critical component within Android’s telephony framework, allowing users to override carrier configurations that dictate connectivity features. Typically, these configurations are provided directly by carriers, but the overrideConfig API offers a means to bypass them. However, access to this API is restricted to apps with the MODIFYPHONESTATE permission, which is reserved for privileged system applications.
So, how did the Pixel IMS app manage to utilize this API? It cleverly leveraged Shizuku, an open-source tool that enables other applications to operate as the “shell” user, which possesses elevated privileges necessary for testing and debugging via the Android Debug Bridge (ADB). This unique access allowed the Pixel IMS app to call the overrideConfig API, a loophole that remained unaddressed by Google for over two and a half years. Recently, however, Google reclassified this loophole as a high-severity privilege escalation vulnerability.
Despite its new classification, the vulnerability was not considered significant enough to warrant inclusion in the latest security bulletin under the new Risk-Based Update System (RBUS). Nevertheless, Google implemented a fix that added a check to the overrideConfig API, effectively blocking access when the calling process originated from the shell user. This change rendered the Pixel IMS app inoperative, as it relied on running as the shell user to access the API.
In response to this setback, the developer of Pixel IMS swiftly devised a workaround over the weekend. Rather than making a direct call to the overrideConfig API, the app now employs an indirect method by launching an Instrumentation component to execute the API call on its behalf. This clever maneuver circumvents the restriction, as the call no longer appears to originate from the shell user, effectively “laundering” the API call through a different, more acceptable user.
While this new approach offers a temporary solution, it is not without its vulnerabilities. Google could potentially patch this workaround in various ways, with the most effective being the complete removal of the MODIFYPHONESTATE permission from the shell app. Such a move would serve as a decisive killswitch, as the current loophole relies on the shell app retaining the necessary permissions to access the overrideConfig API.
The pressing question remains: how aggressively will Google pursue Pixel IMS and similar applications? Would a total blockade of Pixel IMS deter you from importing a Pixel phone? Your thoughts and insights are welcome in the comments below!
Google tried to kill this Pixel VoLTE-enabling app, but the developer already has a fix
In early 2023, a Korean developer introduced the “Pixel IMS” app, a tool designed to empower Pixel users by enabling VoLTE and VoWiFi on unsupported carriers. This innovation proved particularly beneficial for individuals who imported Pixel devices into regions where these features were not natively supported. However, a recent update from Google has disrupted this functionality, leaving many users disheartened. Fortunately, a new workaround has emerged, allowing users to regain access to these essential calling features.
Don’t want to miss the best from Android Authority?
How Google tried to stop Pixel users from enabling VoLTE everywhere, and why it failed
Last week, Google rolled out the October 2025 update for Pixel phones, addressing various display and user interface issues. While the accompanying security bulletin did not highlight any vulnerabilities, it discreetly included a patch that closed the loophole exploited by the Pixel IMS app. This update resulted in the app crashing whenever users attempted to toggle VoLTE or VoWiFi, with error logs indicating that the internal API
overrideConfigcould not be invoked by the shell user.The
overrideConfigAPI is a critical component within Android’s telephony framework, allowing users to override carrier configurations that dictate connectivity features. Typically, these configurations are provided directly by carriers, but theoverrideConfigAPI offers a means to bypass them. However, access to this API is restricted to apps with theMODIFYPHONESTATEpermission, which is reserved for privileged system applications.So, how did the Pixel IMS app manage to utilize this API? It cleverly leveraged Shizuku, an open-source tool that enables other applications to operate as the “shell” user, which possesses elevated privileges necessary for testing and debugging via the Android Debug Bridge (ADB). This unique access allowed the Pixel IMS app to call the
overrideConfigAPI, a loophole that remained unaddressed by Google for over two and a half years. Recently, however, Google reclassified this loophole as a high-severity privilege escalation vulnerability.Despite its new classification, the vulnerability was not considered significant enough to warrant inclusion in the latest security bulletin under the new Risk-Based Update System (RBUS). Nevertheless, Google implemented a fix that added a check to the
overrideConfigAPI, effectively blocking access when the calling process originated from the shell user. This change rendered the Pixel IMS app inoperative, as it relied on running as the shell user to access the API.In response to this setback, the developer of Pixel IMS swiftly devised a workaround over the weekend. Rather than making a direct call to the
overrideConfigAPI, the app now employs an indirect method by launching anInstrumentationcomponent to execute the API call on its behalf. This clever maneuver circumvents the restriction, as the call no longer appears to originate from the shell user, effectively “laundering” the API call through a different, more acceptable user.While this new approach offers a temporary solution, it is not without its vulnerabilities. Google could potentially patch this workaround in various ways, with the most effective being the complete removal of the
MODIFYPHONESTATEpermission from the shell app. Such a move would serve as a decisive killswitch, as the current loophole relies on the shell app retaining the necessary permissions to access theoverrideConfigAPI.The pressing question remains: how aggressively will Google pursue Pixel IMS and similar applications? Would a total blockade of Pixel IMS deter you from importing a Pixel phone? Your thoughts and insights are welcome in the comments below!