This vulnerability has been reported to Google by researchers from German security firm Curesec, and in the blog they claimed that the same vulnerability was reported to Google last year too.
What is the BUG?
Normally, an Android app does not have a permission to access your calls, or access call related systems, but according to the researchers, they able to abuse the BUG that allows them to do the following:
Terminate a Call
Dial an unwanted number
Send USSD Code
Things to Worry:
Well, if it terminates a call, that it can be ok for you sometime, BUT as the vulnerability also call any number, so it means the malware can be call a premium number, that costs you more than a normal rates, and at last you find your Phone Bill with a huge unwanted numbers list.
The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls(forwarding), blocking your simcard, enable or disable caller anonymisation and so on, researchers write.
Affected Versions:Version SDK Affected
4.1.1 16 Vulnerable
4.1.2 16 Vulnerable
4.2.2 17 Vulnerable
4.3 18 Vulnerable
4.4.2 19 Vulnerable
4.4.3 19 Not Vulnerable
4.4.4 19 Not Vulnerable
My Device is Vulnerable?
If you want to find out about the your Android status, that it is affected by this vulnerability or not, so the researchers team also provided a source code and a proof-of-concept demonstration app, but use at your own risk
A full documentation by researchers about this vulnerability available on the internet