Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android bug lets apps make rogue phone calls

Lucian Constantin | July 8, 2014
A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.

The attack is not exactly silent, as users can see that a call is in progress by looking at the phone, but there are ways to make detection harder.

A malicious app could wait until there is no activity on the phone before initiating a call or could execute the attack only during nighttime, Lux said Monday via email. The app could also completely overlay the call screen with something else, like a game, he said.

The Curesec researchers have created an application that users can install to test whether their devices are vulnerable, but they have not published it to Google Play. As far as Lux knows, Google is now scanning the store for apps that attempt to exploit the vulnerability.

The only protection for users who don't receive the Android 4.4.4 update would be a separate application that intercepts every outgoing call and asks them for confirmation before proceeding, Lux said.

Lux and his team have also identified a separate vulnerability in older Android versions, namely 2.3.3 to 2.3.6, also known as Gingerbread, that has the same effect. Those Android versions were still used by around 15 percent of Android devices as of June, according to Google's data.

Google did not immediately respond to a request for comment.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.