Academics find eight vulnerabilities in Android's VoIP components

The vulnerabilities can be exploited to make unauthorized VoIP calls, spoof caller IDs, deny voice calls, and even execute malicious code on users' devices.
Written by Catalin Cimpanu, Contributor

A team of academics has found eight vulnerabilities in the Android operating system's VoIP components. These vulnerabilities can be exploited to make unauthorized VoIP calls, spoof caller IDs, deny voice calls, and even execute malicious code on users' devices.

The research is the first of its kind. Until now, security researchers and academics have only looked at the security features of Voice-over-IP (VoIP) equipment, servers, and VoIP mobile apps, but none have analyzed the VoIP components inside Android itself.

The three-man research team set out to correct this. Over the course of the past few years, they developed three methods of analyzing Android's VoIP backend and systematically combed through the components for security flaws that could be exploited by an attacker.

Most of their testing revolved around using fuzzing, a well-known automated software testing technique that relies on blasting random and malformed data into a software component and observing how it reacts, looking for abnormalities in the output, such as crashes or memory leaks.

The research team said they first fuzzed the Android Intent and System APIs for interactions with the operating system's native VoIP components; they then set up a VoIP testbed in their laboratory and fuzzed the different VoIP protocols (such as SIP [Session Initiation Protocol], SDP [Session Description Protocol], and RTP [Real-time Transport Protocol]); and then they manually reviewed logs and performed manual code audits, as the last stage of their research.

They only tested recent versions of the Android OS, from Android 7.0 (Nougat) to last year's 9.0 (Pie). The research team's work produced nine vulnerabilities, all of which were reported to Google, and some fixed. Of the nine, eight impacted Android's VoIP abckend, while a ninth (V1 in the table below), impacted a third-party app.

Image: He et al.

Below is a breakdown of all the nine bugs:

V1: Initiate a VoIP call in the VK app

A bug in how the Android Intent API interacts with the official VK (vKontakte) app can allow a malicious app installed on the device to start a VoIP call via the VK app and eavesdrop on the phone owner's nearby conversations.

No user interaction is needed to exploit this bug, and while it requires local access, the bug is ideal to be integrated inside Android spyware, remote access trojans (RATs), and other malware strains.

V2: Unauthorized call transfer in the IMS interface

On-device malicious apps can misuse two local privileged APIs (in the QtilMS VoIP component) to transfer incoming calls without authorization to an attacker's device

This was fixed back in 2017 when the issue was first discovered, and later received the CVE-2017-11042 identifier.

V3: Undeniable VoIP call spam due to long SIP name

This is the first of six remotely exploitable issues. According to researchers, attackers can initiate calls to a victim's phone using a long (1,043 characters) SIP name.

This SIP name fills up the user's phone screen and prevents them from answering or declining the call. If attackers chain multiple calls one after the other, they can prevent the user from using their phone during a critical period -- such as when performing another attack, such as hijacking an email account or bypassing 2FA.

"We call this kind of denial of service attack 'VoIP call bomb,' as similar to SMS bomb," researchers said. In current versions of the Android OS, Google limits the size of the SIP name in VoIP calls, to prevent abuse.

Image: He et al.

V4: Remote DoS in Telephony once accepting a call

The fourth bug can also be exploited remotely. Attackers can use malformed SDP packets to crash a victim's device when accepting an incoming call (see image above).

Just like the previous two bugs, this was fixed in 2017, after the researchers' report.

V5: Remote code execution due to stack buffer overflow

The worst bug researchers found was CVE-2018-9475, fixed in Android Oreo, in 2018. This is a remote code execution (RCE) issue that can allow attackers to run malicious code on a remote device via a VoIP call.

Researchers found that they could trigger a stack buffer overflow if a user name (or caller number) in a VoIP call had more than 513 bytes.

"This vulnerability allows an adversary to overwrite the return address of the ClccResponse function, causing remote code execution," researchers said. This bug affected all Android versions up to v9 (Pie), included.

V6: Remote DoS in Bluetooth once receiving a call

V6 is similar to V5, and is also a bug that can also be exploited by making VoIP calls with long caller numbers, but this one only causes phones to crash, rather than allow attackers to run code on the device.

V7: Data leak and permanent DoS due to path traversal

The seventh bug they found is not remotely exploitable, meaning it can only be abused by other malicious apps installed on the device.

However, this bug is pretty serious. It's a classic path traversal issue that happens because the SIP protocol and the Android treat the ".." and "/" characters differently. The researchers explain:

For example, by physically setting "sipuser" and "serverip" in the format of Fig. 10(a), mProfileDirectory becomes "/data/data/-com.android.phone/files/alice/@SomeSite/../../../../../../sdcard/" and leaks the sensitive SIP profile file to the public SD card. A permanent DoS could also happen if "serverip" is set to overwrite another system app's file, e.g., mmssms.db shown in Fig. 10(b).

Image: He et al.

V8: Caller ID spoofing due to mis-parsing "&"

This vulnerability is due the PSTN (Public Switched Telephone Network) number format, which does not account for the "&" character.

Incoming VoIP calls containing "&" characters result in the Android OS reading only the numbers before the character, but not after, allowing for easy caller ID spoofing.

Image: He et al.

V9: Caller ID spoofing due to "phone-context"

The ninth and last vulnerability is also due to the PSTN (Public Switched Telephone Network) number format, but this time via the "phone-context" PSTN parameter. The research team explains.

For example, in PSTN's convention, the number "650253000;phone-context=+1" is equivalent to "+1650253000", where the value of "phone-context" becomes the prefix of the number. However, such convention should not apply to VoIP calls, which is unfortunately ignored by the dialer app. As a result, an adversary can intentionally set the caller number as "650253000;phone-context=+1", and the dialer app will interpret it as "+1650253000" and display it as Google's call, which is clearly presented in Fig. 12.

The full white paper is named "Understanding Android VoIP Security: A System-level Vulnerability Assessment" and is available for download here.

The paper's authors come from the OPPO ZIWU Cyber Security Lab in Shenzen, China; The Chinese University of Hong Kong; and the Singapore Management University.

Best Android smartphones (July 2019)

Editorial standards