Android Scam Call And SMS Security Is Undone By HTML Exploiting Malware

Android’s built-in protection, which flags warnings about apps trying to send premium rate messages without user consent, can be manipulated by malware to display a message controlled by malicious code.

Researchers from MWR Labs discovered a flaw in the Android Telephony API, which handles SMS and MMS sending and receiving on an Android smartphone, and noted that it could lead to users being tricked into sending premium rate messages despite thinking they are being protected by Android’s security features.

The security feature normally blocks premium messages with a prompt warning users of the cost and the app’s intentions, then asking them if the wish to continue to send the premium message.

HTML hacking

The malware can bypass the Android Telephony API by using HTML tags in the malicious application which governs how the the API displays a warning message.

“MWR Labs found that this protection could be manipulated by the malware running on the device. The warning message is partly based on the application’s name. By including special characters, it is possible to change the message from the standard message, into something that the user is more likely to press the “send” button for,” said Rob Miller, head of operational technology at MWR InfoSecurity.

“By pressing the send button the phone would then send a premium rate SMS message without further interaction with the user.”

Miller noted that Google issued a fix for the flaw in its latest Android Security Bulletin, but it is up to hardware OEMs, like HTC and Samsung to rollout the fix to their own devices, meaning the flaw may still be ripe for exploitation by malicious code.

Google’s Android has come under quite a bit of fire from software vulnerabilities and malware over the past few week, with it being forced to pull four spyware-riddled apps from the Play Store, as well as patch 55 vulnerabilities is its Android September update.

Quiz: What do you know about cybersecurity in 2016?