Advisories

Android Premium SMS Warning Message Manipulation

Product Android
Severity Medium
CVE Reference CVE-2016-3883
Type Elevation of Privilege

Description


The Android Telephony API is used by applications to handle SMS and MMS sending and receiving. To restrict applications from sending premium rate SMS messages without user consent, the Telephony API will produce a warning dialog explaining the intention of the sending application and that the action will cost the user money. The user must then tap “Send” for the SMS to be sent. This restriction was put in place as many instances of malware would use premium rate SMS messages as a way of profiteering by sending messages to numbers owned by the malware’s authors.

It was found that the warning message used the “app_name” string from the application itself to form part of the message. This message would then have all HTML tags rendered using the Html.fromHtml() function. An attacker would therefore be able to include HTML tags in their application name to manipulate this warning message, potentially tricking a user into sending the premium rate SMS messages.

Impact:

Malware installed on an Android device could include HTML tags in its application name. Upon sending a premium rate SMS message, the user would not receive the legitimate warning, but rather one controlled by the malware. This may lead to users sending the messages and incurring financial loss.

Cause:

The Telephony API is used by applications to manage sending and receiving SMS and MMS messages. To stop applications automatically sending messages that would cost the user money, the user is prompted as to whether or not they want the app to send the message. The message includes the sending application’s name.
As the application’s name is put in to the warning message, and then rendered as HTML, a malicious app could misuse this feature to change the text in the warning message by including HTML tags within its application name. This can change the warning message to show any text that the malicious app chooses to show.

Solution:

Google have released a security update through an over-the-air (OTA) update as part of its Android Security Bulletin Monthly Release process.

Please refer to the Android Security Bulletin – September 2016: https://source.android.com/security/bulletin/2016-09-01.html

Technical Details

Please refer to the attached advisory.


Detailed Timeline

Date

Summary

 3/05/2016 Issue raised on AOSP Issue Tracker (Issue #208949)
 10/05/2016  Issue marked as Moderate severity by Google security team
 01/09/2016 Patch Released
 20/09/2016 Advisory Released