A couple of hours ago the update to Android 4.2 has been made available. One of the new security features is that it also protects from the premium SMS when an app tries to send them.
How Android knows about premium messages is that it reads an XML list where each country has it’s own defined premium rate numbers and how many digits those numbers need to have. Below you will find such protection example. I have used a malware app which was sending a message to a 6 digit number. Since in Romania we have 4 digits for premium numbers, the operating system allows it to send the text. As soon as it’s sent, I get a reply from the network informing me that the destination is not allowed (in Romanian). Then I modified the app to send to 1263 number. This time I got prompted by a dialog saying that I’m going to be charged for this operation. I even allowed it once and the reply from the mobile network is that I do not have enough credit – since my balance is zero – so this time it really was a premium rate number.
Another thing I wanted to check was if with this update I am going to be protected against premium SMS SIM Toolkit attack. However, the STK.apk icon was not visible after this update. If you are also in this situation after the Android 4.2 update, you will need to re-enable SIM PIN protection and the issue is solved – you can see the SIM Toolkit app in the menu.
Now, since the Android 4.2 protects also against the basic regular SMS app when you want to send a text to a premium number by yourself, I could not see any reason for not protecting also against SIM Toolkit attack since the STK.apk is involved. The result?
As you can see, the phone sends by itself a text message to a premium rate number, no protection involved from Android. Again I get the same reply from the network saying that I don’t have enough funds.
So, there it is: you are still vulnerable against SIM Toolkit attack with the new Android 4.2
Posted in 
Tags: 
