Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Bug Traps Devices in ‘Endless Reboot Loop’

More details have emerged about a Google Android vulnerability that could be exploited to trap devices in a reboot loop.

More details have emerged about a Google Android vulnerability that could be exploited to trap devices in a reboot loop.

The vulnerability was publicly disclosed earlier this month by researcher Ibrahim Balic, which he referred to as a memory corruption bug. According to Balic, the bug can be triggered if the application’s ‘appname’ field has a value greater than 387,000 characters. In addition, the situation also caused a denial-of-service condition on Google Play after Balic uploaded his malformed APK as a test.

Android Reboot Vulnerability

“We believe this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets,” blogged Trend Micro Mobile Threats Analyst Veo Zhang. “The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider “bricking” it.”

The issue appears to affect Android OS versions 4.0 and higher. Trend Micro’s analysis shows the first crash is caused by the memory corruption in WindowManager, the interface that applications use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows, Zhang blogged.

“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place,” Zhang explained. “Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.”

“An even worse case is when the malware is written to start automatically upon device startup,” Zhang continued. “Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.”

Additional research by Trend Micro has uncovered another issue apart from the WindowManager service. According to Trend Micro, PackageManager and ActivityManager are also susceptible to a similar situation. The difference is that the user’s device will crash immediately when the malicious app is installed.

“In AndroidManifest.xml, apps’ label names can be set in the “android:label” attribute of the element, and it can be written with a raw string, not only with the reference of the string resource,” Zhang blogged. “Normally, apps with very long raw string labels declared in AndroidManifest.xml cannot be installed, due to the Android Binder’s transaction buffer size limit. But through the ADB (Android Debug Bridge) interface, which is used by many third-party market clients, such apps can be installed–which, inevitably, causes an instant PackageManager service crash.”

Advertisement. Scroll to continue reading.

The result is a chain reaction in which all other processes depending upon PackageManager will crash as well, leaving the device unusable. 

“As always, we advise users to never download apps from third-party app stores,” the Trend Micro researcher explained. “It’s important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices. Google has already been notified about the vulnerabilities but users should still take the necessary precautions in order to protect their mobile devices. Developers familiar with the use of the Android Debug Bridge can use this as well to remove problematic apps in question.”

Google was notified of the vulnerabilities. So far, it has not responded to a request for comment. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed as CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.