Major VOIP Security Flaws Discovered in Android

John Lister's picture

Researchers say they discovered eight security flaws in the way Android handles voice calls through the Internet. Unlike most such bugs which involve specific apps, these problems were with Android itself.

The good news is that the researchers reported all of the bugs to Google while carrying out the project and most have now been fixed. However, it does raise concerns about the development and design of the system itself. (Source: github.io)

The researchers looked at the three latest Android versions (7, 8 and 9), specifically addressing the components that allow Voice Over Internet Protocol (VOIP). That's where apps and services such as Skype use the phone's voice call hardware such as microphone and speaker, but transmit the data over the Internet rather than voice networks. This is especially convenient for users on a metered voice or data plan, and when free WiFi is available.

Malware Could Eavesdrop

ZDNet explains that the researchers used a technique called "fuzzing" to find security gaps. Fuzzing effectively involves putting random data (often in the "wrong" format) into software in order to see how it responds. This can often reveal vulnerabilities. (Source: zdnet.com)

One of the bugs related to a specific VOIP app named "VK" would have allowed malware to start a call, then eavesdrop via the phone's microphone.

The other bugs all related to Android, meaning victims wouldn't need to have a VOIP app installed or active. Some required malware to be on the phone and could allow hackers to divert incoming calls to their own devices.

Bogus Number Causes Problems

Others didn't require any malware and instead took advantage of inconsistencies between the way voice and VOIP calls handle unexpected characters in phone numbers. That could make it possible to call a phone and make it display a bogus caller ID - for example, for harassment or when making marketing calls.

It was also possible for attackers to create their own exceptionally long phone numbers, then place a call to another phone. In some cases this would crash the phone being called (because the caller ID was too long). In other cases, the caller ID number would run "off the bottom" of the screen so that buttons to answer or reject the call disappeared. This then caused the phone to ring indefinitely and also prevented the user from accessing any other features.

In theory, these bugs could be used as a prank or on a large scale to stop people using phones during a gathering such as a political protest. Perhaps more seriously, it could let hackers "tie up" a phone and distract the user while using other malware in the background.

The most serious of the "long number" attacks would actually create a stack buffer overflow, which involves accessing the device's memory. In turn, this could allow unrestricted access to other active applications, which then allows a bogus caller to remotely run code on the device (such as malware).

What's Your Opinion?

Are you surprised Google didn't discover such bugs itself? Are these simply the price to pay for having sophisticated phones that are effectively mini computers? Do people take phone security seriously enough?

Rate this article: 
Average: 4 (4 votes)

Comments

Focused100's picture

Hi Dennis

I'm Not Surprised But at Least they took Steps to patch the holes.
Many firms learn of attack vectors and do NOTHING to fix them until someone holds their feet ot the fire.

dwightlightnin's picture

Google is a government owned company and I don't care what kind of bull sheeple have been told. How do you think hacker AKA LEO can dig up what you ate for dinner 3 years ago and what underwear you wore the next day. Now LEO doesn't need to hack your phone as they have equipment set up all over town that picks up any call to or from any number they want- even yours to vet you. I can only explain it like a radio picking up stations and they use CDMA 2g and 2 others I have never heard of until reading my iphone analytic logs every day. Look for magic men. LEGALIZE FREEDOM not the thought of iy. My android phone is much worse than the iphone. Snowden only taught me that any cable used to charge a phone or pc may have an intercetiing device and I read over 2000 of the files they let loose. I also believe most of the thefts are from guberment agencies and law enforcement organizations. This whole country is FU(%~*!!! Ignorance is bliss they say and at least they told the truth about something. Diatribe over.

dwightlightnin's picture

NONE EXISTS UNLESS PBS or another nation wide media center gets it out to the sheeple. Thanks for making the adds from skipping the screen while scrolling Dennis.