Curasec, a Germany based security Consultancy Company found that there are some malicious applications in various versions of Android phones that can be exploited. The ongoing calls can be terminated and instead short text messages can be sent at a number though with user’s intervention. Since the bug was discovered last year, Android Security Team succeeded in fixing it for Android 4.4.4 but the earlier versions are still affected by the bug.
The bug was there in version 4.1.x (OS), which is being used by nearly 56.5% of Android users till July 7. KitKat version (less than 4.4.4) users also felt the bad effects of the glitch. There can be a steep rise in the phone bill of the targeted person due to the increased calls by the cybercriminals to some dedicated premium-lines.
Curasec reported that the bug outwit the permission channel and doesn’t asks for it while making a call. Ideally, an Android should not make a call if there is no permission, but due the bug, a call can be made in addition to sending mmi, hanging up a current call or ussd codes.
According to the research, the bug can be maliciously used for Supplementary Service (SS), Man-Machine Interface (MMI) codes and Unstructured Supplementary Service Data (USSD). This can be used for manipulating the basic functions of a phone such as blocking of SIM card, call forwarding and switching on/off the caller ID. There is no way out for the Android users accept to switch to the latest models. Curasec has developed two Android apps to find out if the phone is vulnerable to any of the above stated flaws.