Android Premium SMS Warning Message Manipulation

CVE-2016-3883

    Type

  • Elevation of Privilege

    • Severity

  • Medium

    • Affected products

  • Android

    • CVE Reference

  • CVE-2016-3883
Read more
Timeline
 3/05/2016Issue raised on AOSP Issue Tracker (Issue #208949)
 10/05/2016 Issue marked as Moderate severity by Google security team
 01/09/2016Patch Released
 20/09/2016Advisory Released

Description

The Android Telephony API is used by applications to handle SMS and MMS sending and receiving. To restrict applications from sending premium rate SMS messages without user consent, the Telephony API will produce a warning dialog explaining the intention of the sending application and that the action will cost the user money. The user must then tap “Send” for the SMS to be sent. This restriction was put in place as many instances of malware would use premium rate SMS messages as a way of profiteering by sending messages to numbers owned by the malware’s authors.

It was found that the warning message used the “app_name” string from the application itself to form part of the message. This message would then have all HTML tags rendered using the Html.fromHtml() function. An attacker would therefore be able to include HTML tags in their application name to manipulate this warning message, potentially tricking a user into sending the premium rate SMS messages.

Impact

Malware installed on an Android device could include HTML tags in its application name. Upon sending a premium rate SMS message, the user would not receive the legitimate warning, but rather one controlled by the malware. This may lead to users sending the messages and incurring financial loss.

Cause

The Telephony API is used by applications to manage sending and receiving SMS and MMS messages. To stop applications automatically sending messages that would cost the user money, the user is prompted as to whether or not they want the app to send the message. The message includes the sending application’s name.
As the application’s name is put in to the warning message, and then rendered as HTML, a malicious app could misuse this feature to change the text in the warning message by including HTML tags within its application name. This can change the warning message to show any text that the malicious app chooses to show.

Solution

Google have released a security update through an over-the-air (OTA) update as part of its Android Security Bulletin Monthly Release process.

Please refer to the Android Security Bulletin – September 2016: https://source.android.com/security/bulletin/2016-09-01.html

Technical Details

Please refer to the attached advisory.