Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls.
By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls. It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on.
The security bug appears to be introduced in Android Jelly bean 4.1.1 and it exits in all latest versions through Android Kitkat 4.4.2.
CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability.
The bug has been fixed in the latest version of android (v4.4.4).