Researchers at Curesec have found a vulnerability that is potentially affecting 60 percent of Android devices connected to Google Play; another 13 percent running different versions of Android software were also found to be vulnerable. The flaw allows applications to instigate unauthorised calls, including premium rate calls, disrupt ongoing calls and carry out other rogue actions without user interaction. It bypasses the Android security model where apps without the CALL-PHONE permission should not be able to initiate calls.
The flaw can also be exploited to execute USSD (Unstructured Supplementary Service Data), SS (Supplementary Service) or manufacturer-defined MMI (Man-Machine Interface) codes. These special codes are input through the dial pad, are enclosed between the * and # characters, and vary between different devices and carriers. They can be used to access various device functions or operator services.
On Friday, Curesec's CEO Marco Lux and researcher Pedro Umbelino said (in a blog post): “this bug can be abused by a malicious application. Take a simple game which is coming with this code. The game won't ask you for extra permissions to make a phone call to a toll number – but it is able to do it. The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on."
Tampered applications may be used to call premium rate numbers; or rogue callers may just simply listen into regular calls of the victim. Although users are able to see the call in progress by looking at their phone screen as attacks occur, such attacks may be initiated when there is no activity on the phone – at night.
In correspondence with SC MagazineUK.com, Andrew Rose, principal analyst at Forrester Research noted how we already know that Android is the mobile platform of choice for attackers, with huge increases in the number of malware attacks each month, citing the recent Trend Micro report that stated 44 percent of mobile malware is targeted at premium service abuse. Rose told SC: “It's clear that malware is quite able to instigate rogue calls already. A fundamental OS flaw, however, leaves the door open for 'legitimate' apps to achieve the same goal and, with Android's much more open app marketplace, this is certainly an increased risk.”
Chris Boyd, Malware Intelligence Analyst at Malwarebytes told SC MagazineUK.com via email, “While this is a potentially serious problem, it's a good reminder to only install apps that are a known entity from trusted sources/developers. It shouldn't be hard to notice that your phone is suddenly making a call unannounced, but device owners do leave them switched on overnight. This is likely more of a problem for those on a contract as opposed PAYG due to the potentially limitless call charges which could be racked up on a contract.”
“Any firm that allows their staff to use Android devices should be well aware of the risk profile and should have reacted to that threat by insisting on the installation of security software from vendors such as Symantec, McAfee or Kaspersky. These security solutions should be easily tweaked by the vendor to address this OS flaw and prevent unauthorised premium rate calls,” said Rose.
Boyd adds, “One would hope businesses handing out devices would also have installed security tools which can scan for rogue installs, but the onus here is certainly on personal device owners to ensure their phones are running appropriate security programs and making sensible download decisions when browsing the Google Play store.”
As the patching rate on Android devices is very slow and many devices never get updated to newer versions of the OS, this new vulnerability could be exploited by malware for quite a while. A different vulnerability called Gingerbread, found in older Android versions 2.3.3 to 2.3.6 are still used by about 15 percent of users. Rose commented, "I think that consumers and businesses alike would welcome a resolution to that particular drawback of this popular mobile platform."
Rose concluded, “Individuals using the Android platform should be similarly warned, and take precautions. There are many free security solutions available and it's just reckless to use Android without at least one of them installed.”