CVE-2016-0847 in Androidinfo

Summary

by MITRE

The Telecom Component in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to spoof the originating telephone number of a call via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26864502.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/12/2022

The vulnerability identified as CVE-2016-0847 resides within the Telecom Component of Android operating systems, specifically affecting versions 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before the 2016-04-01 security update. This flaw represents a significant security weakness in the telephony subsystem that enables malicious actors to manipulate caller identification information. The vulnerability stems from insufficient validation of originating telephone numbers within the telephony framework, allowing crafted applications with appropriate privileges to forge caller ID data. The issue was internally tracked as bug 26864502, highlighting its classification as a system-level security concern within Google's internal tracking mechanisms.

The technical implementation of this vulnerability exploits the trust model within Android's telephony services, where legitimate applications can be granted elevated privileges through signature-level access or signature or system access permissions. When an application with these privileges makes a call, the system fails to properly validate or sanitize the originating number field, allowing attackers to inject arbitrary telephone numbers into the call setup process. This manipulation occurs at the framework level where telephony services interact with the underlying cellular network protocols, bypassing normal verification mechanisms that should ensure caller identification authenticity. The vulnerability specifically targets the telecom component's handling of call setup parameters, where the originating number field can be overridden without proper authentication or authorization checks.

The operational impact of CVE-2016-0847 extends beyond simple caller ID spoofing, as it provides attackers with a mechanism to impersonate legitimate telephone numbers and potentially conduct social engineering attacks, phishing campaigns, or fraud operations. The vulnerability enables attackers to create calls that appear to originate from trusted numbers, making it particularly dangerous for financial institutions, government agencies, or any organization relying on caller verification for security purposes. The attack vector requires either signature-level access or signature or system access privileges, which can be obtained through various means including malicious application installation, privilege escalation exploits, or by leveraging other system vulnerabilities. This makes the attack surface broader than initially apparent, as the vulnerability can be exploited by applications that have already gained elevated privileges within the system.

Security professionals should consider this vulnerability in relation to CWE-284, which addresses improper access control within software systems, and the ATT&CK framework's privilege escalation techniques that attackers might use to obtain the necessary permissions. The vulnerability also aligns with ATT&CK technique T1068, which covers local privilege escalation, as attackers need to gain signature-level access to effectively exploit this weakness. Organizations should implement immediate mitigations including applying the relevant Android security patches released in April 2016, enforcing strict application permission controls, and monitoring for suspicious telephony-related activities within their networks. The vulnerability serves as a reminder of the critical importance of validating telecommunications data at multiple levels within mobile operating systems and demonstrates how weaknesses in core system components can provide attackers with powerful capabilities for impersonation and deception.

Reservation

12/16/2015

Disclosure

04/17/2016

Moderation

accepted

Entry

VDB-81584

CPE

ready

EPSS

0.00233

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!