Days ago, Curesec had announced a vulnerability that allows the user to bypass phone call permissions on Android. A malicious developer could write an app that makes arbitrary phone calls, without the corresponding permission that an app should apply before making phone calls. Afterwards, the victim could face some expensive phone bills.
The affect Android versions include:
- 2.3.3, API Level 10
- 2.3.6, API Level 10
- 4.1.1, API Level 16
- 4.1.2, API Level 16
- 4.2.2, API Level 17
- 4.3 , API Level 18
- 4.4.2, API Level 19
The vulnerability is caused by a logical error in the NotificationBroadcastReceiver class in com.android.phone.PhoneGlobals package. When handling an ACTION_CALL_BACK_FROM_NOTIFICATION message, the code directly calls the dangerous ACTION_CALL_PRIVILEGED intent without the proper permission check, which allows an app to call any phone number by sending an ACTION_CALL_BACK_FROM_NOTIFICATION message to com.android.phone.
The vulnerable code could be found at http://goo.gl/brGgGX, in lines 1137 to 1145:
To exploit this vulnerability, one could simply send an ACTION_CALL_BACK_FROM_NOTIFICATION message to the com.android.phone component, which carries the phone number inside the data content:
Curesec has provided the proof-of-concept code and apk.
After having received the vulnerability report, the Trustlook team has added a detection module immediately. By using the static analysis engine, Trustlook Antivirus can detect the exploited code before it is triggered. So far, we haven’t detect any malwares that exploit this vulnerability to gain profit via unauthorized phone calls.