September 28, 2012

Lookout Releases Protection Against Dialer-Related Attacks

This week, a new vulnerability was discovered that affects Android phones.  Security researchers on Monday demonstrated that the Android dialer could be exploited to remotely run commands that wipe the phone without users’ permission or knowledge. To help minimize the risk facing users, Lookout released an update today to its Lookout Mobile Security app on Google Play, which protects users from these dialer-related threats.

A dialer-related attack can be triggered in two ways:

  1. By clicking a phone number link (also known as tel: link) that is malicious on a web page while browsing from a phone. (i.e. when you’re surfing the web from your mobile device and you click the phone number on the website to make a call.)
  2. By opening a webpage on your phone that embeds  a malicious tel: link as a resource (such as an iframe). (This can happen automatically, once the webpage loads, without clicking any links.)

The industry is working fast to patch this vulnerability. Google patched it for the stock Android dialer nearly three months ago (but it’s unknown how broadly that patch has been merged into OEM Android firmwares), and phone manufacturers and carriers have already issued patches for a number of popular device types.

While we’re not aware of malicious examples of a dialer-based attack in-the-wild, it still remains a concerning vulnerability: the worst known exploit results in total data loss, and there are likely a number of additional device-specific codes that are not being broadly discussed. The vulnerability still may affect many Android handsets.

How Lookout Keeps You Safe 

All up-to-date Lookout users are protected against dialer-related attacks, however users must select Lookout as the default dialer for tel: links in order to be protected. Just follow these steps:

  • When you click-to-call from a web page on your mobile device, you will see the option to use the Android phone dialer or “Scan with Lookout before dialing”.
  • To ensure the number is safe, select  “Scan with Lookout before Dialing”.

Lookout will then scan the number and alert you if the number you are about to dial is about to complete an action you might not have intended, like wiping your data, your photos or returning your phone to a factory reset.  If no threat is detected, your phone will then continue dialing the number selected.

Make sure you select “Scan with Lookout before Dialing” as your default setting to ensure the best protection when making web-based click-to-calls.

Here’s what it would look like if Lookout detects a dialer threat:

For more information, contact support@lookout.com.

7 comments
  1. On my Samsung Galaxy GT-I9000 Lookout unfortunately drops me into contacts, rather than the dialler, after scanning the number from a txt msg. This makes it unusable and I had to spend considerable time to figure out how to not make this the default, as I receive a lot of leads via txt. Android 2.3.3.

  2. Mark says:

    This is great, but there’s also another form of threat that this COULD be used for: a new type of phishing known as “vishing” involves robocalls requesting info such as credit/debit card numbers, SSNs, etc. Conceivably, it would also be possible to send out an email saying “please call this number to verify your identity.” Also, whenever I post a resume on a site like Monster with my cell #, I inevitably get SPIT (SPam over Internet Telephony) calls, often in Spanish, saying I’ve won a free vacation, etc. A filter for these calls (and perhaps SMS/MMS spam/phishing) would be another great feature to have.

  3. @Peter Hendricks,
    Thank you for the letting us know about that issue! That sounds very weird, we’ll investigate. If you have any other issues, please email us at support [at] lookout[dot]com.
    best, RT

  4. Laura says:

    I just clicked on the link above for the test page to see if NY Droid RAZR M was vulnerable and my dialer never popped up with the stuff with the *#6 whatever for not being vulnerable or the 14 or 16 digit number to show that my phone was vulnerable. In fact, my dialer never popped up at all. So does this mean your test page does not work or what??? There is not explanation given in the instructions as to what your vulnerability is if your dialer does not even pop up at all to even give you anything to determine vulnerability. Makes me wonder if this was a hoax email to begin with!

  5. @Laura, dialer attacks are definitely not a hoax! As Derek referenced in the post, this vulnerability has been published by researchers, and although we have not seen any dialer attacks in the wild as actual scams, it’s something we took very seriously because the worst demonstrated exploit results in total data loss, and there are likely a number of additional device-specific codes that are not being broadly discussed.

    I’m not sure why the test page didn’t work when you viewed it on your Android handset’s browser, but if you have Lookout installed, you would be protected if you choose to scan a click-to-call number with Lookout. Please feel free to email our support, support[at]lookout[dot]com.

  6. Gabriel says:

    On the Note 3 it keeps asking if I want to “compete action using” every time I click on a phone number in my browser. I set either the phone app or look as the default action, but it no matter what I choose as the default app, it KEEPS asking me what default I’d prefer. I uninstalled lookout and tried making phone calls and it solved the problem. Thing is I want to continue to use lookout as well.

  7. Brad says:

    How do I turn this off? I never dial from websites. I do frequently dial from my maps app. It’s very annoying as I have selected default phone several times but the pop up continues to pop up every time.

Leave a comment