A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.
The flaw was found and reported to Google late last year by researchers from Berlin-based security consultancy firm Curesec, who believe it was first introduced in Android version 4.1.x, also known as Jelly Bean. The vulnerability appears to have been fixed in Android 4.4.4, released on June 19.
However, the latest version of Android is only available for a limited number of devices and currently accounts for a very small percentage of Android installations worldwide. Based on Google’s statistics, almost 60 percent of Android devices that connected to Google Play at the beginning of June ran versions 4.1.x, 4.2.x and 4.3 of the mobile OS. Another 13 percent ran versions 4.4, 4.4.1, 4.4.2 or 4.4.3, which are also vulnerable. Version 4.4.4 had not been released at that time.
The issue allows applications without any permissions whatsoever to terminate outgoing calls or call any numbers, including premium-rate ones, without user interaction. This bypasses the Android security model, where apps without the CALL_PHONE permission should not, under normal circumstances, be able to initiate phone calls.
The flaw can also be exploited to execute USSD (Unstructured Supplementary Service Data), SS (Supplementary Service) or manufacturer-defined MMI (Man-Machine Interface) codes. These special codes are inputted through the dial pad, are enclosed between the * and # characters, and vary between different devices and carriers. They can be used to access various device functions or operator services.
“The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on,” Curesec’s CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post.
A different Android vulnerability discovered in 2012 allowed the execution of USSD and MMI codes by visiting a malicious page. Researchers found at the time that certain codes could have been used to reset some Samsung phones to their factory default settings, wiping all user data in the process. Another code allowed changing the card’s PIN and could have been used to lock the SIM card by inputting the wrong confirmation PUK (Personal Unblocking Key) several times.
The new vulnerability might be exploited by malware for some time to come, especially since the patching rate of Android devices is very slow and many devices never get updated to newer versions of the OS.
“An attacker could, for instance, trick victims into installing a tampered application and then use it to call premium-rate numbers they own or even regular ones and listen to the discussions in the range of the phone’s microphone,” said Bogdan Botezatu, a senior e-threat analyst at Bitdefender who confirmed the bug found by the Curesec researchers Monday. “The premium-rate approach looks more plausible, especially since Android does not screen premium-rate numbers for voice as it happens with text messages.”