Android bug lets apps make rogue phone calls
Flaw affects the majority of Android devices and could easily be exploited by malware to make premium-rate calls
IDG News Service - A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.
The flaw was found and reported to Google late last year by researchers from Berlin-based security consultancy firm Curesec, who believe it was first introduced in Android version 4.1.x, also known as Jelly Bean. The vulnerability appears to have been fixed in Android 4.4.4, released on June 19.
However, the latest version of Android is only available for a limited number of devices and currently accounts for a very small percentage of Android installations worldwide. Based on Google's statistics, almost 60 percent of Android devices that connected to Google Play at the beginning of June ran versions 4.1.x, 4.2.x and 4.3 of the mobile OS. Another 13 percent ran versions 4.4, 4.4.1, 4.4.2 or 4.4.3, which are also vulnerable. Version 4.4.4 had not been released at that time.
The issue allows applications without any permissions whatsoever to terminate outgoing calls or call any numbers, including premium-rate ones, without user interaction. This bypasses the Android security model, where apps without the CALL_PHONE permission should not, under normal circumstances, be able to initiate phone calls.
The flaw can also be exploited to execute USSD (Unstructured Supplementary Service Data), SS (Supplementary Service) or manufacturer-defined MMI (Man-Machine Interface) codes. These special codes are inputted through the dial pad, are enclosed between the * and # characters, and vary between different devices and carriers. They can be used to access various device functions or operator services.
"The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on," Curesec's CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post.
A different Android vulnerability discovered in 2012 allowed the execution of USSD and MMI codes by visiting a malicious page. Researchers found at the time that certain codes could have been used to reset some Samsung phones to their factory default settings, wiping all user data in the process. Another code allowed changing the card's PIN and could have been used to lock the SIM card by inputting the wrong confirmation PUK (Personal Unblocking Key) several times.
The new vulnerability might be exploited by malware for some time to come, especially since the patching rate of Android devices is very slow and many devices never get updated to newer versions of the OS.
"An attacker could, for instance, trick victims into installing a tampered application and then use it to call premium-rate numbers they own or even regular ones and listen to the discussions in the range of the phone's microphone," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender who confirmed the bug found by the Curesec researchers Monday. "The premium-rate approach looks more plausible, especially since Android does not screen premium-rate numbers for voice as it happens with text messages."
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts