Google fixes nightmare Android bug that stopped user from calling 911



The January security patch addresses one of the most serious bugs in the operating system, which can cause certain apps to stop you from calling emergency services.

A harrowing tale popped up in the subreddit in December, from a user whose phone crashed when they needed it the most, and then called for help for their grandmother who appeared to be having a stroke. The whole phone subsystem crashed upon calling emergency services, with user "KitchenPicture5849" saying they couldn't get the call to connect or hang up. Emergency services were able to contact them after their phone let them down, but a nearby landline was available.

After the crisis was over, the user gave a call to the police, and the phone crashed again, indicating that it wasn't a one-off bug. A check of their phone bill showed that KitchenPicture5849 never connected to the emergency service. Users reported that they were experiencing the same bug.

On December 8, the user was contacted by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user by the user

We have been able to reproduce the issue under a limited set of circumstances. We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logging in, and we are currently only aware of one user report related to the occurrence of this bug. The issue was caused by an interaction between the Microsoft Teams app and the underlying operating system.

Users should check for an update in the Play Store because Microsoft will be pushing an app update out soon. An OS-level patch would be out in early January, according to the company. There was no further comment from the company on the issue.

The apps can break.

Hold up. Microsoft teams broke. Emergency services can be broken by random apps. How? Why can third-party apps be so close to such a critical function? Do any other apps break the law? While Teams got fixed, was it really a good idea to let users hang out with this OS-level bug for a month, especially when we don't know if other apps are doing it? Many phones won't get patched because they're not compatible with Android. Users can't know if emergency services will work. There were no answers other than to wait a month for a fix.

The Senior Technical Editor for Esper wrote an incredible post detailing how the bug works and why it happens. The phone call feature on the apps on the platform allows them to register a "PhoneAccount" with the system to indicate they have the ability to place calls. There are a few flags that can be set with PhoneAccount. When it's time to call to the emergency service, the list of phoneaccounts that have been registered is sorted. This seems to be fine so far.

Advertisement

One of the bugs identified in Rahman's post is that Microsoft Teams will register an additional PhoneAccount with the system if you aren't logging in. It's not uncommon for Microsoft Teams to be installed and never used, but a common complaint of the Teams app is that it logs users out automatically. Launching Microsoft Teams 10 times will result in 10 duplicate phone accounts. Teams shouldn't do this, and Microsoft's update stopped Teams from doing this, but a bunch of duplicate PhoneAccounts shouldn't be enough to bring the phone system to its knees.

The last step in the process of sorting is called the tiebreaker. The comparison subtracts one of the two hashcode. It's possible for this to result in an underflow or an overflow, and now the phone subsystem is going to crash. Since it's the last sorting tiebreaker after trying more obvious things like the package name, it should only get invoked in the very specific instance of an app spawning duplicate PhoneAccounts. Thanks, Microsoft!

There is an underflow bug and a integer overflow bug.

The fix for this bug is here, titled "Fix the integer overflow/underflow caused by sorting of duplicate phone accounts during emergency call attempt." The java function "Integer.compare" has been used to run the two numbers instead of subtracting one from another. This only shows a smaller, identical, or bigger compare result.

If you're like me, you're wondering why the default account on the phone is not sorted through, and I'll take a wild guess and say that this was an attempt to make the service work. In case the main account doesn't work, it wants a list of every possible phone account it can try, and it wants to connect to the emergency services automatically. The regular phone calls still work for the affected users because the system only exists for contacting emergency services.

Microsoft Teams does not register itself as an emergency call handler. Teams made a million PhoneAccounts, but they didn't use the flag "Calls", but it still broke. When a better first step would be to start with all emergency call- capable phone accounts, is when the sort process begins. The system's "self-managed" phone account will be culled from the system's procedure in order to solve the last bug. "Self-managed" accounts of the Android phone system can roll their own features and get more direct access to the telephony stack. The emergency call system on the phone will only consider simpler providers if you have a carrier account. All those other apps can still be used to call the emergency services. If you open the dialer, you will be able to choose from standardized, system-managed phone accounts.

Advertisement

Who is getting patched, and how you can check for the bug.

Rahman says that the monthly security bulletin categorizes the vulnerability as a high-severity "denial of service" vulnerability with patches for devices running the following versions of the operating system: The fix is backported all the way to the newer version of the OS, which is not supported anymore. Zero manufacturers are pushing security updates to devices that are old. The code is available if anyone wants it.

The only way to get a fix for the telephony stack is via the monthly security update. The phones on this list should be updated by this week, while the fixes for the 3a, 4a, 5, and 5a are being pushed out.

An update for the phone is not ready. At the moment, the newest flagship of the company is going through an update crisis. The update was pulled because phone calls don't work. The next update for the Pixel 6 is due in late January. It's normal to be on the November patch.

I'll take another wild guess and say that the Pixel 6 is the odd phone because it's a completely different system on a chip and modem than every other one. Making the holiday shopping season happen didn't allow for much wiggle room for launch delays. That doesn't make it any less disappointing for a phone with a big selling point, but hopefully, this is a temporary problem.

The roll-out is taking one-to-two months and the bug is a high severity one. It would be nice if all of this arrived quicker, instead of how they are dealing with the issue.

I have written an application that helps detect and prevent emergency calls from not working. Check the thread for more information.
>
December 11, 2021.

If you're waiting for a patch, or if you have one of the billions of Android devices that won't ever get patched, there is a way to see if your phone is overflowing with duplicate PhoneAccounts. The "PhoneAccount Abuse Detector" is an open-source app that will list every phone account you have on your device. There is no hard rule, but you should see about one Phone Account per app.

There is no telling if any other apps are making the same mistake that Microsoft Teams is making. There is a chance that an app on this list will stop you from connecting with emergency services. I recommend that you uninstall the app, contact the developer, and let the rest of us know on social media.