Researchers Discovered Vulnerabilities in Android VoIP Components

A team of researchers from OPPO ZIWU Cyber Security Lab in Shenzhen, China University of Hong Kong and Singapore University of Management discovered 8 vulnerabilities in the Android VoIP components.

Interestingly, to date, information security experts have studied Voice-over-IP (VoIP) only in the context of equipment, servers, and mobile applications, but have not tested the VoIP components inside the Android OS itself.

“The security consequences are serious, including denying voice calls, caller ID spoofing, unauthorized call operations, and remote code execution”, — write the researchers.

To study Android components, researchers developed three methods for analyzing the VoIP backend and systematically tested the components for vulnerabilities. Basically, analysts relied on this issue not fuzzing.

To interact with the components, Android Intent and the System API were developed. The experts then installed the VoIP test bench in their lab and applied fuzzing to various VoIP protocols, including SIP (Session Initiation Protocol), SDP (Session Description Protocol) and RTP (Real-time Transport Protocol). After analytics, we additionally looked at the received logs manually and performed an additional code audit.

Only the latest versions of Android were tested, from Android 7.0 (Nougat) to last year’s 9.0 (Pie). As a result, nine vulnerabilities were identified, some of which Google engineers have already fixed. Of the nine bugs, eight affect the Android VoIP backend, but the ninth bug (V1 in the table below) affects the third-party application.


The problem is how the Android Intent API interacts with the official VK (VKontakte) application. The vulnerability allows a malicious application installed on the device to make a VoIP call through the VK application and listen to conversations of the owner of the phone in the vicinity.

Using the bug does not require any user interaction, and although exploiting the vulnerability requires local access, the bug is ideal for integration with spyware, remote access trojans (RATs), and other malicious programs.


Malicious applications on the device may incorrectly use two local privileged APIs (in the QtilMS VoIP component) to transfer incoming calls without authorization to the device of the attacker.

The bug was fixed back in 2017, when the problem was first discovered, and then received the identifier CVE-2017-11042.


The first of six remotely used issues. Attackers can initiate calls to the victim’s phone using the long (1043 characters) SIP name.

The name SIP literally fills the entire screen of the victim’s phone and does not allow you to answer or reject a call. If the attackers make several calls, one after another, they can effectively prevent the user from using the phone at all. This can be used, for example, as an aid to another attack, such as hijacking an email account or bypassing 2FA.

Experts write that this DoS bug is similar to the SMS bomb, but they call it the VoIP bomb. In current versions of Android, Google limits the size of the SIP name in VoIP calls to prevent abuse.


The fourth problem can also be used remotely. Attackers can use malformed SDP packets to provoke a victim device failure when receiving an incoming call.

Like the two previous errors, this bug was fixed in 2017, after warning the researchers.


The most dangerous mistake of all discovered by researchers. She received the identifier CVE-2018-9475 and was fixed as part of Android Oreo in 2018.

This is a remote code execution (RCE) problem that allows attackers to run malicious code on a remote device using a VoIP call.

Researchers have noticed that they can trigger a stack buffer overflow if the username (or caller number) in a VoIP call is more than 513 bytes. “This vulnerability allows an attacker to overwrite the return address of the ClccResponse function, which will lead to remote code execution,” the researchers say.

This error has affected all versions of Android up to and including 9.0 (Pie).

Read also: German police defeated hosting CyberBunker 2.0


The V6 bug is similar to V5 and is also a vulnerability that can be exploited when making VoIP calls with long numbers. But this bug only causes a malfunction of the device, but does not allow attackers to remotely execute code.


The seventh vulnerability cannot be used remotely, but it can be exploited by malicious applications already installed on the device. This is a classic directory traversal problem that occurs because SIP and Android handle the characters “..” and “/” differently.


The vulnerability is associated with the format of PSTN numbers (Public Switched Telephone Network), which do not take into account the “&” character. Incoming VoIP calls containing the characters “&” cause Android to read only the digits before this character, but not after it, which makes it easy to fake the caller ID.


The ninth and final vulnerability is also related to the format of the PSTN number, but this time with the “phone-context” parameter.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Check Also

Microsoft and control of scammers domains

Microsoft gained control over six domains of “Coronavirus” scammers

Microsoft through the court gained control over six domains of the so-called “Coronavirus” scammers. These …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.