How Android knows about premium messages is that it reads an XML list where each country has it’s own defined premium rate numbers and how many digits those numbers need to have. Below you will find such protection example. I have used a malware app which was sending a message to a 6 digit number. Since in Romania we have 4 digits for premium numbers, the operating system allows it to send the text. As soon as it’s sent, I get a reply from the network informing me that the destination is not allowed (in Romanian). Then I modified the app to send to 1263 number. This time I got prompted by a dialog saying that I’m going to be charged for this operation. I even allowed it once and the reply from the mobile network is that I do not have enough credit – since my balance is zero – so this time it really was a premium rate number.

Another thing I wanted to check was if with this update I am going to be protected against premium SMS SIM Toolkit attack. However, the STK.apk icon was not visible after this update. If you are also in this situation after the Android 4.2 update, you will need to re-enable SIM PIN protection and the issue is solved – you can see the SIM Toolkit app in the menu.

Now, since the Android 4.2 protects also against the basic regular SMS app when you want to send a text to a premium number by yourself, I could not see any reason for not protecting also against SIM Toolkit attack since the STK.apk is involved. The result?

As you can see, the phone sends by itself a text message to a premium rate number, no protection involved from Android. Again I get the same reply from the network saying that I don’t have enough funds.

So, there it is: you are still vulnerable against SIM Toolkit attack with the new Android 4.2

UPDATE2: It was not the bug I was thinking of. After having a few communication messages with Avast, who actually were very helpful, I have to agree with them that this was NOT something they did on purpose – and I didn’t think so at all -  and also “it does not affect a lot of users as it requires special order of tasks to occur“. Indeed I was able to reproduce the bug by recording my steps and performing them on different devices. Maybe it was bad luck for me to discover these steps, but I am happy that I discovered the bug so that Avast’s customers will feel safer. Another thing I want to note is that Avast has issued a test update (only available to few until it will go into production), I applied the fix and I can confirm the issue is fixed now. Great work Avast! Really fast response and much interest showed in solving the problem.

A couple of days ago, I have installed on a test Android based phone the avast Mobile Security solution from Google Play – the free version. After a few days when this antivirus solution was turning on the WiFi or the mobile data plan by itself, during the night, I chose to uninstall it.

Now something new came to my attention: I was checking my balance on the phone and noticed that 0.12 EUR were missing. Hmm, maybe I have sent a message to some of my Roaming SIM cards. I logged on to my account to check why I have been billed. I noticed that indeed a message was sent to a number outside my country, but after checking the number I realized this number was not mine.

See the below screenshot from my account:

So I looked for the country code: this number - 420720001669 – is from Czech Republic. Searching for this number on the web revealed that avast is actually sending this message. First occurrence from here:

Même problème, je viens de voir sur mon suivi un SMS vers le 420720001669 facturé à 19cts envoyé le 27 aout.

Il me semble que ça coïncide avec l’installation d’Avast Anti-Theft qui a l’autorisation d’envoyer des SMS. Et comme de par hasard AVAST software est une compagnie Tchèque …

which translated would mean:

Same problem, I just saw on my monitor SMS to 420720001669 charged 19cts sent on August 27.

It seems to me that it coincides with the installation of Avast Anti-Theft that has permission to send SMS messages. And as coincidence AVAST Software is a Czech company …

Second result from here

Buenos días, esta mañana al consultar mi lista de llamadas me aparece lo siguiente:

24/08/2012 420720001669 ENVÍO SMS 08:12:02 1 MENSAJE

A esa hora no he enviado ningún SMS me pueden decir a q corresponde dicha numeración? El SMS tiene un coste de 60 cent.

.. and translated:

Good morning, this morning to check my call list I get the following:

08/24/2012 8:12:02 420 720 001 669 1 MESSAGE SENDING SMS

At this time I have not sent any SMS I can say that numbering corresponds aq? The SMS is charged at 60 cent.

Thank you.

There was even a result from Google Play store, but couldn’t find in full so here is the screenshot along with the translation:

September 4, 2012 – … took a printout of the operator found to send an SMS to number 420720001669, struck on the forums that this number was Avast …

To me it’s pretty clear that it’s Avast fault for this. There was only one message sent from my number, but I haven’t used their software for more than 3 days so I can’t say for sure if the message is sent each week for example. I’ll try to contact them and see what they have to say about this.

However, this is something that it shouldn’t happen at all.

In case you have noticed this behavior also, please leave a comment here.

I must say it was a real pleasure to attend the DeepSec 2011 edition. I’ve met a lot of interesting people and all the talks were great. Since it was my first time I held an international talk with such large audience, I was a little bit excited, but no matter what, I still consider I did a pretty good job. By now I only got positive feedback

To answer some of the frequently asked questions:

1. The attack I showed has nothing to do with knowing the security keys as the response to the command is being sent even if there’s an error

2. The live demo worked – too bad I didn’t have a webcam to show you the target phone

3. There was no planning on who should volunteer for the live demo

4. The number you’ve seen during the demo is not the real number (only the first 3 digits were) and also wasn’t charged with 5 EUR – all it was just for the fun of it

5. The quickest way to protect is to change your phone to one that asks for your permission before allowing the SIM card to do something, or switch to another operator that doesn’t provide SIM cards with Toolkit Application on them – in Austria it’s at least one, as well in Romania

6. Pay attention to dual-SIM phones: some of them are not showing you the extra-menu belonging to the SIM application, so don’t get comfortable thinking that you’re protected

7. I’m not a hacker / cracker how the media likes to call the security specialists most of the times. My purpose was to make you aware of the danger of just using something like SMS

I was happy that right after the talk I’ve been contacted by RIM in order to send them the details to fix this. It’s good to see that someone pays attention to these details. As long as they agree, I’ll keep you up to date with how the things are going.

Thank you Lynx, MiKa, Manuela for this opportunity! I’m pretty sure I’ll see you next year also I also hope that next year there will be more people from Romania in the audience.

Below it’s a recording of my talk SMS fuzzing, SIM Toolkit Attack – I hope you’ll ignore my excitement

The slides from the talk can be found here (click me).

I wait for your feedback!

With no further comments, the new GlaDOSiri is here:

Along with Luca Melette, Karsten was able to decrypt the GPRS data by using a modified phone, loaded with OsmocomBB baseband software. What’s interesting is that, during the research, they discovered some operators that do not use encryption at all because it would be easier to block content like VoIP, Skype and so on.
If you want to read the slides, here they are: click
My advice: set you phone to use 3G as a preferred network, not only because of the GPRS issue, but due to other GSM security issues.

UPDATE: See the videos here: CCC 2011 videos

First of all, download the Android SDK for Linux. Extract the archive then go to the “tools” directory on the newly extracted directory. Launch the SDK Manager by entering “./android”. Here you’ll have to choose Available packages and from the right panel open Android repository. Select the SDK platform that you want and Install it. Now we should create two virtual phones based on this SDK. Go to Virtual Devices, choose New. On the new window set a Name for your device, a Target (the SDK package installed previously) and a size for your virtual SD card. Repeat the steps to create a second device.

Have a look:

Why two phones? Because we need to place some calls in order to better understand AT messages exchanged between phone and SIM.

Now you should start the first phone and then open another terminal window.  You’ll have to go where Android SDK was extracted, “platform-tools” folder and type “./ adb shell”. This way you’ll enter into debug mode. In order to see the AT messages type “logcat -b radio”. You can now open the second phone. In order to place calls between the phones, each one has a unique number – found in the title bar of the phone window.

To better visualize these things, a video is necessary:

Of course you can try the AT commands that you see by connecting a USB GSM modem and minicom (or HyperTerminal in Windows). Enjoy!