This week, a new vulnerability was discovered that affects Android phones. Security researchers on Monday demonstrated that the Android dialer could be exploited to remotely run commands that wipe the phone without users’ permission or knowledge. To help minimize the risk facing users, Lookout released an update today to its Lookout Mobile Security app on Google Play, which protects users from these dialer-related threats.
A dialer-related attack can be triggered in two ways:
- By clicking a phone number link (also known as tel: link) that is malicious on a web page while browsing from a phone. (i.e. when you’re surfing the web from your mobile device and you click the phone number on the website to make a call.)
- By opening a webpage on your phone that embeds a malicious tel: link as a resource (such as an iframe). (This can happen automatically, once the webpage loads, without clicking any links.)
The industry is working fast to patch this vulnerability. Google patched it for the stock Android dialer nearly three months ago (but it’s unknown how broadly that patch has been merged into OEM Android firmwares), and phone manufacturers and carriers have already issued patches for a number of popular device types.
While we’re not aware of malicious examples of a dialer-based attack in-the-wild, it still remains a concerning vulnerability: the worst known exploit results in total data loss, and there are likely a number of additional device-specific codes that are not being broadly discussed. The vulnerability still may affect many Android handsets.
How Lookout Keeps You Safe
All up-to-date Lookout users are protected against dialer-related attacks, however users must select Lookout as the default dialer for tel: links in order to be protected. Just follow these steps:
- When you click-to-call from a web page on your mobile device, you will see the option to use the Android phone dialer or “Scan with Lookout before dialing”.
- To ensure the number is safe, select “Scan with Lookout before Dialing”.
Lookout will then scan the number and alert you if the number you are about to dial is about to complete an action you might not have intended, like wiping your data, your photos or returning your phone to a factory reset. If no threat is detected, your phone will then continue dialing the number selected.
Make sure you select “Scan with Lookout before Dialing” as your default setting to ensure the best protection when making web-based click-to-calls.
Here’s what it would look like if Lookout detects a dialer threat:
For more information, contact firstname.lastname@example.org.