A team of researchers from mobile phone manufacturer Oppo, the Chinese University of Hong Kong and Singapore Management University have discovered a total of nine security holes in the voice-over-IP components of Google’s mobile operating system. They allow you to start unauthorized VoIP calls, reject any calls, falsify caller IDs, and possibly even inject and execute malicious code .
Until now, security experts had primarily dealt with VoIP equipment, servers and mobile VoIP apps, but not with Android’s VoIP software. For this purpose, the research team developed three methods for the search for vulnerabilities over a period of several years, with which they systematically combed the VoIP components.
Over time, they took a closer look at the system APIs for interactions with the native VoIP components and the various VoIP protocols such as SIP, SDP and RTP. They finally secured the finds with manual code audits. In addition, they only checked current Android versions from 7.x Nougat to 9.0 Pie. A total of nine vulnerabilities were identified.
The first vulnerability allows the official app of the Russian social network vKontakte to start a VoIP call in the app or to listen to the user’s surroundings. Interaction with the user is not required for this attack.
A malicious app can misuse two local APIs and forward incoming calls without user consent. However, this hole was already filled in 2017.
A long SIP (1043 characters) allows spam calls to be started that cannot be refused. An accumulation of such calls in the shortest possible time can even temporarily render a smartphone unusable, which corresponds to the definition of a denial of service attack. In current Android versions, however,is already supposed to limit the number of SIP characters.
A vulnerability was also patched in 2017, which also allowed denial of service attacks. Until then, specially designed SDP packets would cause the recipient’s device to crash. With Android Oreo, a fix for a vulnerability was also introduced, which allowed remote code execution. A caller name with more than 513 bytes triggered a buffer overflow in older versions.
Another vulnerability is that Android and the SIP protocol treat certain characters differently. The “&” character in turn causes problems because it is not supported by the telephone number format PSTN. Android therefore only reads the digits before the “&” sign, which can be misused for spoofing. The PSTN format is also the starting point for spoofing attacks because it uses a parameter called a phone context. This becomes the area code for a telephone number, which, however, does not exist for VoIP calls. The phone app still implements the parameter and adds digits to a phone number, which is only displayed.
At the time of discovery, all vulnerabilities were zero-day gaps. Six vulnerabilities can be exploited remotely, three require local access (e.g. via a malicious app) or even physical access.