A virus discovered late last year allows hackers to take over an Android phone, initiate unauthorized phone calls, disrupt ongoing calls and infiltrate other secure areas of the cell phone to take other rogue actions.

Android Bug hackers

Android bug reported to Google

According to a report in ComputerWorld the vulnerability was discovered and subsequently reported to Google Inc (NASDAQ:GOOG) (NASDAQ:GOOGL) by researchers from Berlin-based security consultancy firm Curesec.  The researchers believe the virus was first introduced in Android version 4.1 and also goes by the name “Jelly Bean.”

A patch for the virus has been fixed in Android 4.4.4, released on June 19.  Unfortunately, the patch is available for for a limited number of devices, currently making up a small percentage of installations worldwide. Considering Google’s statistics own statistics, the report noted that almost 73 percent of Android devices that connected to Google Play at the beginning of June ran versions of the Android operating system that were subject to the vulnerability.

The list of problems a hacker could cause was long and potentially painful to users. “The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on,” Curesec’s CEO Marco Lux and researcher Pedro Umbelino wrote Friday in a blog post.

Android bug allows unauthorized users to terminate outgoing calls

The hacker vulnerability allows unauthorized users to terminate outgoing calls or call any numbers, including premium-rate ones, without user interaction, the report noted. Hackers can bypass the Android security model, where apps without the CALL_PHONE permission should not be able to initiate phone calls.

“An attacker could, for instance, trick victims into installing a tampered application and then use it to call premium-rate numbers they own or even regular ones and listen to the discussions in the range of the phone’s microphone,” said Bogdan Botezatu, a senior e-threat analyst at Bitdefender who confirmed the bug found by the Curesec researchers Monday. “The premium-rate approach looks more plausible, especially since Android does not screen premium-rate numbers for voice as it happens with text messages.”