Zero-day exploits found in Android VoIP

By Brian Turner
published

Multiple security concerns raised

Vulnerabilities found in Android VoIP
(Image credit: Shutterstock)

Chinese researchers have found no less than nine zero-day vulnerabilities in how Android (opens in new tab) handles VoIP in its more recent versions.

The researchers stated that most security investigations focus on network infrastructure and apps, whereas they decided to look at Android’s VoIP (opens in new tab) integration. 

What they found were flaws that could allow a malicious user to:

  • Deny voice calls
  • Spoof the caller ID
  • Make unauthorized call operations
  • Remotely execute code

The main problem areas were the VoLTE and VoWiFi functions of Android.

The researchers submitted their findings to Google, who confirmed them with bug bounty awards.

The flaws were discovered through a novel combination of on-device Intent/API fuzzing, network-side packet fuzzing, and targeted code auditing.

They discovered that the problems were present from Android version 7.0 to the more recent 9.0, two-thirds of which could be exploited by a network-side adversary due to incompatible processing between VoIP and PSTN calls.

According (opens in new tab) to the researchers, the security consequences of the vulnerabilities are "serious", though Google is shortly expected to release a patch.

However, it's not the first time VoIP vulnerabilities have made the headlines in recent weeks. A report last month found that telecoms giant Avaya (opens in new tab) had failed to apply a patch to a known vulnerability in its own phone system, even though it was made available 10 years ago.

Android security woes

The news comes only days after we reported (opens in new tab) on a zero-day exploit in the Android kernel, which could allow a malicious hacker to gain root access to Android phones.

This vulnerability was patched in Android, kernel versions 3.18, 4.14, 4.4 and 4.9, but not in more recent ones.

The problem for users is that Google's Threat Analysis Group (TAG) confirmed that this vulnerability had already been used in real-world attacks. However, it does require a malicious app to already be installed and running on the user's phone.

Via ZDNet (opens in new tab)

Brian Turner
Brian Turner

Brian has over 30 years publishing experience as a writer and editor across a range of computing, technology, and marketing titles. He has been interviewed multiple times for the BBC and been a speaker at international conferences. His specialty on techradar is Software as a Service (SaaS) applications, covering everything from office suites to IT service tools. He is also a science fiction and fantasy author, published as Brian G Turner.

See more VoIP news