Thursday, July 10, 2014
Author: Chaotic Indian
A major vulnerability believed to be present in most versions of the Android Mobile OS can allow malicious Android applications to make phone calls on a user’s device, even if they lack the necessary permissions.
The critical vulnerability was identified and reported to Google Inc. late last year, by researchers from German Security firm Curesec. The researchers believe that the virus was first noticed in Android version 4.1, A.K.A “JellyBean.”
APPS CAN MAKE CALLS FROM YOUR PHONE.
“This bug can be abused by a malicious application. As an example, take a simple game which has this code in it. The game won’t ask you for extra permissions to perform a phone call to a tool number but it is able to do it,” said Curesec’s CEO Marco Lux and researcher Pedro Umbelino on a blog post last Friday. “This is normally not possible without giving the app that special permission.”
By leveraging these vulnerabilities, malicious applications could initiate unauthorized phone calls, disrupt ongoing phone calls, dialing out to expensive toll services and potentially framing up big charges on an unsuspecting user’s phone bills.
ANDROID BUG ALLOWS UNAUTHORIZED USERS TO TERMINATE OUTGOING CALLS AND SEND USSD.
This vulnerability can also be exploited to disconnect outgoing calls and to execute
●Unstructured Supplementary Service Data (USSD)
●Supplementary Service (SS)
●Manufacturerdefined MMI (ManMachine Interface) code.
These special codes can be used to access various device functions or operator services, which makes the problem a nasty one for those who value data privacy and confidentiality.
“The list of USSD/SS/MMI codes is long and there are several quite powerful ones, like codes that change the flow of phone calls(call forwarding), blocking a SIM card, enabling/disabling caller anonymity and so on,” reads the blog post.
Even the Android security screening apps, which do not allow apps without the CALL_PHONEpermission to be executed, can be easily bypassed and offer no protection from these flaws, because the exploits have the capability to deceive the Android permissions system all together.
“As the app does not have the permission but is abusing a bug, such security apps cannot protect you from the exploit without the knowledge of this bug’s existence,”wrote the researchers.
A large number of Android OS versions are affected by the vulnerabilities. Researchers have found two different flaws that can be exploited to achieve the same goals one found in newer systems, and the other meant for older systems.
FIRST BUG MEANT FOR NEWER VERSIONS OF ANDROID
The first bug, known as CVE20136272, seems to have been introduced in Android version 4.1.1 Jelly Bean and continues all the way to the most recent 4.4.2 KitKat, before the security team at Google Inc. was able to fix it in Android update 4.4.4.
Unfortunately, only 14% of users have had the chance to download the update. Think about it how many other users are currently in the grip of the flaws? A very generous number, be assured.
SECOND BUG MEANT FOR OLDER VERSIONS OF ANDROID
The second bug is far wider in it’s reach, affecting both versions 2.3.3 and 2.3.6, the most popular versions of Android Gingerbread used by small phones and budgetminded phones which are immensely popular in emerging markets like those found in Brazil, China and Russia. The bug was fixed in 3.0.0 Honeycomb, but that was only a tablet release that no longer even charts on Google’s Android statistics. That means the bug is still open to 90% of the world’s Android users to the exploit.
Researchers at Curesec have provided source code and a proofofconcept demonstration app that lets users test their Android devices for vulnerabilities. In the meantime, it is strongly advised to Android users running 4.4.2 KitKat to update their device as soon as possible to prevent becoming a victim of this highly dangerous exploit. The update is expected to roll out in the coming weeks.