The attack is not exactly silent, as users can see that a call is in progress by looking at the phone, but there are ways to make detection harder.
A malicious app could wait until there is no activity on the phone before initiating a call or could execute the attack only during nighttime, Lux said Monday via email. The app could also completely overlay the call screen with something else, like a game, he said.
The Curesec researchers have created an application that users can install to test whether their devices are vulnerable, but they have not published it to Google Play. As far as Lux knows, Google is now scanning the store for apps that attempt to exploit the vulnerability.
The only protection for users who don't receive the Android 4.4.4 update would be a separate application that intercepts every outgoing call and asks them for confirmation before proceeding, Lux said.
Lux and his team have also identified a separate vulnerability in older Android versions, namely 2.3.3 to 2.3.6, also known as Gingerbread, that has the same effect. Those Android versions were still used by around 15 percent of Android devices as of June, according to Google's data.
Google did not immediately respond to a request for comment.
Sign up for MIS Asia eNewsletters.