A vulnerability that could affect as many as 60% of Android devices connected to Google Play has been discovered that allows applications to carry out a variety of malicious activities, including making phone calls (including premium-rate calls), terminating other calls, listening to calls in progress and sending SMS texts, surreptitiously without user permissions.
The ramifications of the flaw, first uncovered by Curesec, are clear: an app, like a simple game, can neglect to ask for extra permissions to call a toll number, opening the door for premium calling fraud. Or, a malicious “nuisance” app can make sure that any outgoing calls are dropped.
Researchers at Curesec said that the vulnerability can also be exploited to execute a variety of special codes, including Unstructured Supplementary Service Data (USSD), Supplementary Service (SS) or manufacturer-defined Man-Machine Interface (MMI) codes. These are used to allow a mobile widget to access various device functions or operator services. Typically for apps to access these, it prompts the user for a permission, or the user has to press the “send” key. The flaw, however, allows apps to bypass that requirement.
“This bug can be abused by a malicious application,” explained Curesec's CEO Marco Lux and researcher Pedro Umbelino, in a blog post. “The list of USSD/SS/MMI codes is long and there are several quite powerful ones, like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymization and so on.”
It’s hardly decent news considering that this adds another arrow to the quiver for mobile malware. It continues to be the fastest-growing segment of the threat landscape, with the list of malicious Android apps hitting the 10 million mark as of the beginning of the year.
By late January 2014, Kaspersky Lab had accumulated about 200,000 unique samples of mobile malware, up 34% from November 2013 – for context, two months earlier just over 148,000 samples had been recorded. Android is still target No. 1, attracting a whopping 98.05% of known bugs.
“The mobile world is one the fastest-developing IT security areas,” the company said in the report. “In 2013 security issues around mobiles have reached new heights and attained a new level of maturity in terms of both quality and quantity.”
It added, “If 2011 was the year when mobile malware gained traction, especially in Android-land, and 2012 was the year of mobile malware diversification, then 2013 saw mobile malware come of age. It’s no great surprise that mobile malware is approaching the PC threat landscape in terms of cybercriminal business models and technical methods; however the speed of this development is remarkable.”