A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.
The flaw was found and reported to Google late last year by researchers from Berlin-based security consultancy firm Curesec, who believe it was first introduced in Android version 4.1.x, also known as Jelly Bean. The vulnerability appears to have been fixed in Android 4.4.4, released on June 19.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
However, the latest version of Android is only available for a limited number of devices and currently accounts for a very small percentage of Android installations worldwide. Based on Google's statistics, almost 60 percent of Android devices that connected to Google Play at the beginning of June ran versions 4.1.x, 4.2.x and 4.3 of the mobile OS. Another 13 percent ran versions 4.4, 4.4.1, 4.4.2 or 4.4.3, which are also vulnerable. Version 4.4.4 had not been released at that time.
The issue allows applications without any permissions whatsoever to terminate outgoing calls or call any numbers, including premium-rate ones, without user interaction. This bypasses the Android security model, where apps without the CALL_PHONE permission should not, under normal circumstances, be able to initiate phone calls.
The flaw can also be exploited to execute USSD (Unstructured Supplementary Service Data), SS (Supplementary Service) or manufacturer-defined MMI (Man-Machine Interface) codes. These special codes are inputted through the dial pad, are enclosed between the * and # characters, and vary between different devices and carriers. They can be used to access various device functions or operator services.
"The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on," Curesec's CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post.
A different Android vulnerability discovered in 2012 allowed the execution of USSD and MMI codes by visiting a malicious page. Researchers found at the time that certain codes could have been used to reset some Samsung phones to their factory default settings, wiping all user data in the process. Another code allowed changing the card's PIN and could have been used to lock the SIM card by inputting the wrong confirmation PUK (Personal Unblocking Key) several times.
The new vulnerability might be exploited by malware for some time to come, especially since the patching rate of Android devices is very slow and many devices never get updated to newer versions of the OS.
"An attacker could, for instance, trick victims into installing a tampered application and then use it to call premium-rate numbers they own or even regular ones and listen to the discussions in the range of the phone's microphone," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender who confirmed the bug found by the Curesec researchers Monday. "The premium-rate approach looks more plausible, especially since Android does not screen premium-rate numbers for voice as it happens with text messages."
The attack is not exactly silent, as users can see that a call is in progress by looking at the phone, but there are ways to make detection harder.
A malicious app could wait until there is no activity on the phone before initiating a call or could execute the attack only during nighttime, Lux said Monday via email. The app could also completely overlay the call screen with something else, like a game, he said.
The Curesec researchers have created an application that users can install to test whether their devices are vulnerable, but they have not published it to Google Play. As far as Lux knows, Google is now scanning the store for apps that attempt to exploit the vulnerability.
The only protection for users who don't receive the Android 4.4.4 update would be a separate application that intercepts every outgoing call and asks them for confirmation before proceeding, Lux said.
Lux and his team have also identified a separate vulnerability in older Android versions, namely 2.3.3 to 2.3.6, also known as Gingerbread, that has the same effect. Those Android versions were still used by around 15 percent of Android devices as of June, according to Google's data.
Google did not immediately respond to a request for comment.