At least nine zero-day vulnerabilities were discovered by Chinese bug bounty researchers that exists in the more recent versions of Android OS. The vulnerabilities specifically target the VoIP functions of Android phones and could be exploited to execute remote codes.
The study entitled “Understanding Android VoIP Security: A System-level Vulnerability Assessment” was conducted by Daoyuan Wu from the Department of Information Engineering of the Chinese University of Hong Kong, En He from OPPO ZIWU Cyber Security Lab and Robert H. Deng from School of Information Systems at Singapore Management University.
The researchers said that the discovered vulnerabilities existed on Android version 7.0 to the most recent 9.0; two-thirds of which could be exploited by a network-side adversary due to incompatible processing between VoIP and PSTN calls.
Notably, the flaws specifically target Android’s VoWiFi and VoLTE features. Voice over Wi-Fi and Voice over LTE are features that allow Voice over Internet Protocol (VoIP) calling in Android devices, which uses connections to both Wi-Fi and LTE to make calls over the internet.
The zero-day, according to the researchers, has the capacity to allow malicious users to “Deny” voice calls, spoof the caller ID, make unauthorized call operations, and remotely execute codes. Google, on the other hand, patched the said vulnerabilities after the researchers submitted their findings, which in turn, awarded them with bug bounties.
The researchers said that the flaws were discovered through a novel combination of on-device Intent/API fuzzing, network-side packet fuzzing, and targeted code auditing.
“By testing Android from version 7.0 to the recent 9.0, we have discovered eight zero-day Android VoIP vulnerabilities, all of which were confirmed by Google with bug bounty awards. The security consequences are serious, including denying voice calls, caller ID spoofing, unauthorized call operations, and remote code execution. To mitigate these vulnerabilities and further improve Android VoIP security, we uncover a new root cause that requires developers’ attention during their design and implementation,” reads the study’s abstract.
The Chinese cybersecurity experts were also able to determine some of the root causes of the vulnerabilities. At least three of the discovered bugs was caused by previously known root causes like no protection of exported components, for example.
“Among the nine vulnerabilities we discovered, three of them have previously known root causes, i.e., no protection of exported components in V1, no checking of system APIs in V2, and missed error handling in V4. For the rest of six vulnerabilities, we identify a new root cause that is dedicated to Android VoIP and not known before,” reads the study’s manuscript.
“We call this root cause “incompatible processing between VoIP and PSTN calls.” Specifically, since both VoIP calls and traditional PSTN calls are handled by the Android telephony system, there exist some incompatible processing behaviors between VoIP and PSTN calls. Such incompatibility is the root cause of six VoIP vulnerabilities we identified.”
The researchers said that what they have found out has “serious” consequences, but they are also expecting a patch from Google real soon.