The users of android phones have to take particular care to ensure that their devices are not
vulnerable to a malicious element. Such an element enables applications in the phone to make calls
even if permission has not been given to do so. Curesec, a well known German Security firm, brought
this vulnerability to the notice of Google sometime late last year. The vulnerability was discussed in
details in a report that was submitted to Google Inc. Version 4.1 of Android, also known as Jelly Bean
was where such a vulnerability appears to have been first detected.
The malicious bug takes the form of a specific code which is present in several android applications.
For instance, if a game application in your android phone has this code in it, then unauthorized
phone calls can easily be made from your phone to phones outside, without you knowing anything
about it. Normally an application has to be given specific instructions in order for it to be able to
make calls to external devices. With this malicious bug being rampant in android phones, this is no
Outgoing calls can be terminated by unauthorized users via this bug. It can also execute
manufacturer defined MMI code, supplementary service and USSD or unstructured, supplementary
service data. If you value privacy and data confidentiality, then this malicious bug will prove to be
rather nasty for you. The codes can be used to access operator services and numerous device
functions quite easily.
The list comprising of several of such malicious codes is quite an exhaustive one. Some of these
codes are capable of blocking a SIM card. Others can disable or enable caller anonymity, or change
phone call flow in a specific android device.
There are android based security screening applications that normally provide instructions for the
making of calls from android device. However the bug is one that can bypass these security
screening applications quite easily. The android permissions system is one that can be altogether
deceived by this bug. Hence these apps don’t provide any security at all to phones that are
vulnerable to the malicious codes.
There are two flaws which researchers have found, can be exploited for the purpose of achieving the
exact same goals. One has been found in the older android systems and the other in one of the new
The first malicious bug is termed as CVE20136272. It has first been found in Jelly Bean or in the 4.1
version of the Android OS systems. It has also been found present in the advanced 4.4 Kit Kat version
of the Android OS System.
The latest android update of 4.4.4 is one where this bug has been terminated quite successfully. As a
However, not many users of the Android phones have been able to download this update. Only
about fourteen percent of android users worldwide have managed to download the update.
Hundreds of thousands of other android users continue to be affected by these flaws.
The bug which is present in the older and more outdated versions of the Android systems like 2.3.6
and 2.3.3 is known to have a wider outreach. It is present very strongly in the Android Gingerbread version, in budget minded and small phones that are greatly being used in countries like Russia,
China and Brazil. Android 3.00 Honeycomb was where this bug was fixed. However, such an OS is
limited only to tablet devices. More than ninety percent of android users around the globe can still
exploit this bug.
Curesec researchers have come up with proof concept demonstrations and source codes. These
enable android users to detect this malicious bug in their phones.Android Vulnerability Detected,