This class of vulnerability by the German security research organisation Curesec discovered late last year when the secret to tell Google until this year 7 month when it decided to publish a similar vulnerability. This vulnerability relates to the com. android. phone. PhoneGlobals$NotificationBroadcastReceiv components exposed problems, leading to the malicious application does not need to declare any permissions, can call.
2. Vulnerability details
In the Android source code(JELLY_BEAN 4.3 as an example) /packages/apps/Phone/src/com/android/phone/PhoneGlobals. java there is a named NotificationBroadcastReceiver the BroadcastReceiver.
From the code you can see this PhoneGlobals$NotificationBroadcastReceiver according to the received Intent of the three kinds of action that trigger different actions:
（1）ACTION_HANG_UP_ONGOING_CALL: hang up the ongoing call;
（2）ACTION_CALL_BACK_FROM_NOTIFICATION: sending action for Intent. ACTION_CALL_PRIVILEGED the intent, the end will start the dial-up Activity(for OutgoingCallBroadcaster from AndroidManifest that), direct dial-up;
（3）ACTION_SEND_SMS_FROM_NOTIFICATION: send Intent, to start the sending of SMS Activity, this step requires user intervention.