Nearly all Android smartphones contain bugs which can allow rogue apps to ignore the Permissions used to control them, according to research by German security company Curesec.
Curesec found two separate Android bugs, both of which have been active for months and even years – and can be exploited to place phone calls – potentially leaving phone users vulnerable to scams involving premium-rate numbers.
These Android bugs could also allow malicious apps to send instructions to carriers to change options on the phone such as call forwarding, according to The Register’s report. – again, without being granted permission to do so, or alerting the user.
Android bug: permission denied
The exploits bypass the Permissions used to control what apps can and cannot do – so users would not be alerted that a malicious app could make calls, according to Curesec.
“Android normally has to grant permission so that your applications can conduct actions,” the researchers write. “If your installed application does not own the right to do a phone call, the Android OS should throw a permission denied.”
“However this bug is circumventing the situation and allows any malicious app to do a phone call, send [codes to the network] or hangup an ongoing call.”
PC World reports that Curesec believe one of the bugs was introduced in the Android Jelly Bean update, which was first made available in July 2012. The issue was patched in Android Kit Kat – but very few devices run the new software so far.
Active for years
The other Android bug is even older, introduced in Android Gingerbread. Taken together, The Register calculates, around 87% of current handsets are vulnerable to malware targeting the exploits.
Curesec offers two proof-of-concept apps to test whether Android handsets are vulnerable, available freely via their website.
In ESET’s Threat Trends Report predictions for this year, ESET experts warned of “an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013. This trend is predicted to continue in 2014.”
ESET Latin America’s Research Laboratory in Buenos Aires points out that malware afflicting Android now uses classic PC attack methods – the discovery of vulnerabilities, then their exploitation through malicious code.
Thankfully, most of these threats can be avoided by sensible use of your device. Robert Lipovsky writes, “We encourage users to protect themselves against these threats using prevention and defensive measures. Adhering to security best practices, such as keeping away from untrustworthy apps and app sources, will reduce your risks.”