Android bug lets apps make rogue phone calls

The flaw affects the majority of Android devices in use and could easily be exploited by malware to make premium-rate calls

A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.

The flaw was found and reported to Google late last year by researchers from Berlin-based security consultancy firm Curesec, who believe it was first introduced in Android version 4.1.x, also known as Jelly Bean. The vulnerability appears to have been fixed in Android 4.4.4, released on June 19.

However, the latest version of Android is only available for a limited number of devices and currently accounts for a very small percentage of Android installations worldwide. Based on Google's statistics, almost 60 percent of Android devices that connected to Google Play at the beginning of June ran versions 4.1.x, 4.2.x and 4.3 of the mobile OS. Another 13 percent ran versions 4.4, 4.4.1, 4.4.2 or 4.4.3, which are also vulnerable. Version 4.4.4 had not been released at that time.

The issue allows applications without any permissions whatsoever to terminate outgoing calls or call any numbers, including premium-rate ones, without user interaction. This bypasses the Android security model, where apps without the CALL_PHONE permission should not, under normal circumstances, be able to initiate phone calls.

The flaw can also be exploited to execute USSD (Unstructured Supplementary Service Data), SS (Supplementary Service) or manufacturer-defined MMI (Man-Machine Interface) codes. These special codes are inputted through the dial pad, are enclosed between the * and # characters, and vary between different devices and carriers. They can be used to access various device functions or operator services.

"The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on," Curesec's CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post.

A different Android vulnerability discovered in 2012 allowed the execution of USSD and MMI codes by visiting a malicious page. Researchers found at the time that certain codes could have been used to reset some Samsung phones to their factory default settings, wiping all user data in the process. Another code allowed changing the card's PIN and could have been used to lock the SIM card by inputting the wrong confirmation PUK (Personal Unblocking Key) several times.

The new vulnerability might be exploited by malware for some time to come, especially since the patching rate of Android devices is very slow and many devices never get updated to newer versions of the OS.

"An attacker could, for instance, trick victims into installing a tampered application and then use it to call premium-rate numbers they own or even regular ones and listen to the discussions in the range of the phone's microphone," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender who confirmed the bug found by the Curesec researchers Monday. "The premium-rate approach looks more plausible, especially since Android does not screen premium-rate numbers for voice as it happens with text messages."

The attack is not exactly silent, as users can see that a call is in progress by looking at the phone, but there are ways to make detection harder.

A malicious app could wait until there is no activity on the phone before initiating a call or could execute the attack only during nighttime, Lux said Monday via email. The app could also completely overlay the call screen with something else, like a game, he said.

The Curesec researchers have created an application that users can install to test whether their devices are vulnerable, but they have not published it to Google Play. As far as Lux knows, Google is now scanning the store for apps that attempt to exploit the vulnerability.

The only protection for users who don't receive the Android 4.4.4 update would be a separate application that intercepts every outgoing call and asks them for confirmation before proceeding, Lux said.

Lux and his team have also identified a separate vulnerability in older Android versions, namely 2.3.3 to 2.3.6, also known as Gingerbread, that has the same effect. Those Android versions were still used by around 15 percent of Android devices as of June, according to Google's data.

Google did not immediately respond to a request for comment.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Android OSGoogleCuresecsecuritymobile securityExploits / vulnerabilitiesbitdefendermalware

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?