CVE-2015-3858 in Android
Summary
by MITRE
The checkDestination function in internal/telephony/SMSDispatcher.java in Android before 5.1.1 LMY48M relies on an obsolete permission name for an authorization check, which allows attackers to bypass an intended user-confirmation requirement for SMS short-code messaging via a crafted application, aka internal bug 22314646.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/12/2018
The vulnerability described in CVE-2015-3858 represents a critical authorization flaw in the Android operating system's SMS messaging framework that existed prior to version 5.1.1. This issue specifically affects the checkDestination function within the internal/telephony/SMSDispatcher.java file, which is responsible for validating SMS destination addresses before message transmission. The flaw stems from the use of an outdated permission name that no longer corresponds to the actual permission required for SMS short-code messaging authorization, creating a security gap that attackers can exploit to bypass intended user confirmation mechanisms.
The technical implementation of this vulnerability involves a permission name mismatch that occurs during the SMS dispatch process. When an application attempts to send an SMS message to a short-code destination, the system should require explicit user confirmation before proceeding. However, due to the obsolete permission check, malicious applications can craft requests that appear to have the necessary authorization, effectively bypassing the user confirmation requirement. This creates a scenario where unauthorized SMS messages can be sent to short-code numbers without user awareness or consent, potentially enabling various malicious activities including premium rate service abuse, phishing attempts, or spam distribution.
The operational impact of this vulnerability extends beyond simple unauthorized messaging, as it represents a fundamental breakdown in Android's security model for SMS communications. The vulnerability allows attackers to circumvent the intended security controls that protect users from unintended SMS charges and malicious messaging. Short-code numbers, which are typically used for services like voting, donations, or premium content subscriptions, become particularly vulnerable since they often involve financial transactions or sensitive data collection. Attackers can leverage this flaw to send messages to these numbers without user knowledge, potentially resulting in unauthorized charges, data collection, or other malicious activities that exploit the trust users place in their mobile devices.
This vulnerability aligns with CWE-284, which addresses improper access control issues, and demonstrates how outdated permission references can create security holes in mobile operating systems. The flaw also relates to ATT&CK technique T1059.001, which involves the use of system services for command execution, as the compromised SMS functionality can be used to execute malicious commands through SMS-based attacks. The vulnerability highlights the importance of maintaining up-to-date permission schemas and authorization checks in mobile platforms, where the complexity of system services and the variety of permission types can create opportunities for such mismatches to occur.
Mitigation strategies for CVE-2015-3858 require immediate system updates to Android versions 5.1.1 or later where the permission check has been corrected. Organizations should implement comprehensive mobile device management policies that include regular security patching and monitoring for unauthorized applications that may attempt to exploit this vulnerability. Users should be educated about the risks of installing applications from untrusted sources and the importance of keeping their devices updated with the latest security patches. Additionally, network-level monitoring can help detect unusual SMS activity patterns that may indicate exploitation attempts, while application sandboxing and permission controls should be enforced to limit the scope of potential damage from compromised applications.