A pair of vulnerabilities in all but the newest KitKat iteration of Google’s Android operating system could let a malicious or rogue application exceed its permission level in order to make phone calls, hang up phone calls, or send USSD or MMI codes.
Marco Lux and Pedro Umbelino of Curesec claim they reported the issues to Google and waited several months before publishing their findings late last month. Threatpost reached out to Google for confirmation on this but did not hear back by the time of publication.
“The bug can be abused by a malicious application,” Lux and Umbelino write. “Take a simple game which is coming with this code. The game won’t ask you for extra permissions to do a phone call to a toll number – but it is able to do it.”
In addition to potentially enabling premium rate phone call scams and hanging up legitimate user calls, there is also the risk posed by sending USSD codes.
“The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls(forwarding), blocking your simcard, enable or disable caller anonymisation and so on.”
This first bug, in ‘com.android.phone.PhoneGlobal$NotificationBroadcastReceiever’, relates to making and ending phone calls. The researchers note it could also be exploited to send SMS messages, though they called this element “the least interesting” because it would require user interaction. The second bug, in ‘PhoneApp.Java’, has to do with the sending of MMI and USSD codes.
In order to commit these actions under normal circumstances, an application would have to ask permission to do so. The researchers explain that tools which revoke permissions would not be able to block this sort of attack, because it subverts the permission model altogether.
The thread that ties these bugs together, according to Lux and Umbelino, is a coding error, which they discovered by way of a programmers note written into the Android code base. While browsing through the code in each of these parts of the Android platform, the researchers noticed a programmer’s note accompanying the ‘NotificationBroadcastReceiver’ class saying, “This should be visible from the outside, but shouldn’t be in ‘exported’ state.”
This pair of errors, which they believe were introduced at some point and never removed, are exploitable.
Curesec’s research includes a proof of concept that readers can try out on their own devices. However, they make sure to absolve themselves of responsibility for any potential damages done by the exploit.