On July 4 the German security firm Curesec came forward with information which could suggest that malicious apps on the Android app store are able to make phone calls on a user’s device without explicitly requesting permissions first.
While on the surface this may not seem like an issue worthy of any news story, one only needs to delve a little deeper into the possibilities to walk away with an understanding of what makes this problem a particularly nasty one for those who value the data they store on their mobile phone.
“This bug can be abused by a malicious application. Take a simple game which is coming with this code. The game wont ask you for extra permissions to do a phone call to a toll number – but it is able to do it.
This is normally not possible without giving the app this special permission. But not only might it be disturbing or expensive for someone to call a toll number or getting ongoing calls hung up. It is also possible to send USSD codes. The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls(forwarding), blocking your simcard, enable or disable caller anonymisation and so on.”
Once an attacker gains control of the phone, spoofed toll numbers can be dialed which funnel money into an offshore account set up by the malware distributors, draining a user’s bill for hundreds, even thousands of dollars before they eventually get flagged by their carrier’s automatic system designed to prevent these sort of problems once they pass a certain financial threshold.
The primary exploit, identified only as CVE-2013-6272, was first seen in Android version 4.1.1 Jelly Bean, and survived all the way through 4.4.2 KitKat before the security team at Google was able to bring it down with the release of 4.4.4.
Unfortunately as we already reported last week, only a mere 14 percent of users are currently updated to the latest version of the mobile OS, leaving a generous swath of the less-savvy public open to vulnerabilities and attack paths which would otherwise be closed off to them if a larger number of the Android faithful were more diligent about checking their system settings and applying patches accordingly.
The second hole is wider in its reach, targeting both Android 2.3.3 and 2.3.6, popular versions of the Gingerbread variant, which are used by lower-end smartphones that have flourished on mid-range and budget-style smartphones which continue to surge in popularity amongst emerging markets like those found in Brazil, China, and Russia.
Curesec was kind enough to publish the source code for both bugs to allow more developers an opportunity to find a fix, as well as a tool that users can access from their mobile browsers to test whether or not their device is at risk.
All told just short of 90 percent of Android phones can be brought down by the bug, and as of now the most effective pwnage prevention method is to update your phone to 4.4.4 KitKat as soon and early as possible.