Chinese researchers have found no less than nine zero-day vulnerabilities in how Android handles VoIP in its more recent versions.
The researchers stated that most security investigations focus on network infrastructure and apps, whereas they decided to look at Android’s VoIP integration.
What they found were flaws that could allow a malicious user to:
- Deny voice calls
- Spoof the caller ID
- Make unauthorized call operations
- Remotely execute code
The main problem areas were the VoLTE and VoWiFi functions of Android.
The researchers submitted their findings to Google, who confirmed them with bug bounty awards.
The flaws were discovered through a novel combination of on-device Intent/API fuzzing, network-side packet fuzzing, and targeted code auditing.
They discovered that the problems were present from Android version 7.0 to the more recent 9.0, two-thirds of which could be exploited by a network-side adversary due to incompatible processing between VoIP and PSTN calls.
According to the researchers, the security consequences of the vulnerabilities are “serious”, though Google is shortly expected to release a patch.
However, it’s not the first time VoIP vulnerabilities have made the headlines in recent weeks. A report last month found that telecoms giant Avaya had failed to apply a patch to a known vulnerability in its own phone system, even though it was made available 10 years ago.
Android security woes
The news comes only days after we reported on a zero-day exploit in the Android kernel, which could allow a malicious hacker to gain root access to Android phones.
This vulnerability was patched in Android, kernel versions 3.18, 4.14, 4.4 and 4.9, but not in more recent ones.
The problem for users is that Google’s Threat Analysis Group (TAG) confirmed that this vulnerability had already been used in real-world attacks. However, it does require a malicious app to already be installed and running on the user’s phone.