Google has recently released Android 4.2, but despite the improved security features that should protect users against applications that send SMS messages to premium rate numbers, SIM toolkit attacks are still possible.According to security researcher Bogdan Alecu, the operating system warns users when they’re about to send messages to premium rate numbers.
“How Android knows about premium messages is that it reads an XML list where each country has its own defined premium rate numbers and how many digits those numbers need to have,” Alecu explained in a blog post.
The problem is that although Android 4.2 protects users against malicious attempts that leverage regular SMS applications, it doesn’t offer any security against SIM Toolkit attacks that rely on the STK.apk app.
The expert has highlighted the fact that in some cases, after the update is performed, the STK.apk application is not enabled by default, which means that the vulnerability doesn’t exist and the attacks don’t work.
However, the situations in which STK.apk is not active after the update has been made are isolated, and the app is enabled once the user sets a SIM PIN protection.
“Now, since the Android 4.2 protects also against the basic regular SMS app when you want to send a text to a premium number by yourself, I could not see any reason for not protecting also against SIM Toolkit attack since the STK.apk is involved,” the researcher wrote.
Alecu has told Softpedia in an email that the STK.apk – which is responsible for interpreting the messages sent and received by the SIM card – is standard for Android operating systems.
He finds it odd that Google hasn’t extended the SMS security mechanism to check if STK.apk is utilized by malicious applications to send messages to premium rate numbers.
Here is the video demonstration for the Android 4.2 premium SMS protection:
This is the video proof-of-concept which shows that Android 4.2 is still vulnerable to SIM Toolkit attacks: