Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions
A 
major vulnerability believed to be present in most versions of Android 
can allow a malicious Android applications on the Android app store to 
make phone calls on a user’s device, even when they lack the necessary 
permissions.
The critical vulnerability was identified and reported
 to Google Inc. late last year by researchers from German security firm 
Curesec. The researchers believe the virus was first noticed in Android 
version 4.1, also known as “Jelly Bean.”
APPS CAN MAKE CALLS FROM YOUR PHONE
“This bug can be abused by a malicious application. Take a simple 
game which is coming with this code. The game won’t ask you for extra 
permissions to do a phone call to a toll number – but it is able to do 
it,” Curesec’s CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post. “This is normally not possible without giving the app this special permission.”
By leveraging these vulnerabilities, malicious applications could 
initiate unauthorized phone calls, disrupt ongoing calls, dialing out to
 expensive toll services, potentially framing up big charges on 
unsuspecting users' phone bills.
Android bug allows unauthorized users to terminate outgoing calls and Send USSD
The vulnerability can also be exploited to disconnect the outgoing calls, to send and execute :
- Unstructured Supplementary Service Data (USSD)
- Supplementary Service (SS)
- Manufacturer-defined MMI (Man-Machine Interface) codes.
These special codes can be used to access various device functions or 
operator services, which makes the problem a nasty one for those who 
value the data they store on their mobile phone.
“The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on,” reads the blog post.
Even the Android security programs, where apps without the CALL_PHONE
 permission should not be able to initiate phone calls, can be easily 
bypassed and offer no protection from these flaws, because the exploits 
have capability to deceive the Android permissions system altogether.
"As the app does not have the permission but is abusing a bug, such 
apps cannot easily protect you from this without the knowledge that this
 bug exists in another class on the system," wrote the researchers.
A large number of versions of Android are affected by the 
vulnerabilities. Researchers have found two different flaws that can be 
exploited to achieve the same ends – one that's present in newer Android
 releases and another that's found in older versions.
FIRST BUG - AFFECTS NEWER VERSION OF ANDROID
The first security bug, identified as CVE-2013-6272, 
appears to be introduced in Android version 4.1.1 Jelly Bean, and 
outlasted all the way through 4.4.2 KitKat before the security team at 
Google was able to fixed it in Android 4.4.4.
But, luckily only about 14% of users are currently updated to the latest
 version of the mobile Operating System. So, just think about it, How 
many users are currently in the grip of the flaws? Not less than a 
generous users open to vulnerabilities and attack paths.
SECOND BUG - AFFECTS OLDER VERSION OF ANDROID
The second security hole is wider in its reach, affecting both Android 
2.3.3 and 2.3.6, the popular versions of Gingerbread variant which are 
used by lower-end smartphones, budget-style smartphones which continue 
to surge in popularity amongst emerging markets like those found in 
Brazil, China, and Russia. 
The bug was fixed in Android 3.0 Honeycomb, but that was a tablet-only 
release that no longer even charts on Google's Android statistics. That 
means the bugs leave nearly 90 percent of Android users running 
vulnerable versions of the Operating System to dialer-manipulating 
vulnerability.
Researchers at Curesec have provided source code and a proof-of-concept demonstration app for both the bugs, so that customers can help themselves to test if their Android devices are vulnerable or not.
It is strongly advised to Android users those are running KitKat on 
their devices to get upgraded to the latest version 4.4.4 as soon as 
possible. It is expected that the device makers and carriers will soon 
roll out the updates in the coming weeks.
Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions
![Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions]() Reviewed by Unknown
        on 
        
2/01/2015
 
        Rating:
 
        Reviewed by Unknown
        on 
        
2/01/2015
 
        Rating: 
 
 
 
 
No comments:
Post Your Comment Here Please