14 DAY TRIAL // Malicious applications can abuse the phone call feature in most Android versions to place phone calls, even if they do not have the necessary permission.
Researchers at the German security consultancy company, Curesec, found that the vulnerability can be exploited to terminate ongoing calls and to send short text messages to a specific number, although in this case user intervention is necessary.
They discovered the bug last year and reported it to the Android Security Team in late 2013, who delivered a fix in the latest revision of Android, 4.4.4. This means that earlier versions of the mobile operating system, but not all of them, are still affected by the bug.
According to the researchers, the flaw was introduced in version 4.1.x of the OS, which is also the most popular, with more than half (56.5%) of the Android users running it on their devices, according to statistics collected in the week up to July 7. Users of the KitKat version lower than 4.4.4 are also affected by the glitch.
Threat actors can monetize on the flaw by creating malicious apps with the specific purpose of dialing calls to premium-lines set up by the cybercriminals, inflating the mobile phone bill of the victim.
The issue is serious because it circumvents the permission system for the apps on Android. If an app does not have the permission to initiate phone calls, Android should automatically set a denial of the action.
“However this bug is circumventing the situation and allows any malicious app to do a phone call, send mmi or ussd codes or hangup an ongoing call,” says the blog post from Curesec.
Furthermore, the researchers say that the bug can be exploited to run USSD (Unstructured Supplementary Service Data), SS (Supplementary Service) or MMI (Man-Machine Interface) codes, which can change various services on the phone, such as call forwarding, SIM card blocking, or turning on/off caller ID.
Unfortunately, there are no tools available for fixing the problem and an update to the latest version of Android is what users should do.
“As the app does not have the permission but is abusing a bug, such apps cannot easily protect you from this without the knowledge that this bug exists in another class on the system,” say the researchers.
However, Curesec has built two Android applications that can determine whether the phone is vulnerable or not to the above mentioned flaws.