Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Bug Traps Devices in ‘Endless Reboot Loop’

More details have emerged about a Google Android vulnerability that could be exploited to trap devices in a reboot loop.

More details have emerged about a Google Android vulnerability that could be exploited to trap devices in a reboot loop.

The vulnerability was publicly disclosed earlier this month by researcher Ibrahim Balic, which he referred to as a memory corruption bug. According to Balic, the bug can be triggered if the application’s ‘appname’ field has a value greater than 387,000 characters. In addition, the situation also caused a denial-of-service condition on Google Play after Balic uploaded his malformed APK as a test.

Android Reboot Vulnerability

“We believe this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets,” blogged Trend Micro Mobile Threats Analyst Veo Zhang. “The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider “bricking” it.”

The issue appears to affect Android OS versions 4.0 and higher. Trend Micro’s analysis shows the first crash is caused by the memory corruption in WindowManager, the interface that applications use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows, Zhang blogged.

“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place,” Zhang explained. “Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.”

“An even worse case is when the malware is written to start automatically upon device startup,” Zhang continued. “Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.”

Additional research by Trend Micro has uncovered another issue apart from the WindowManager service. According to Trend Micro, PackageManager and ActivityManager are also susceptible to a similar situation. The difference is that the user’s device will crash immediately when the malicious app is installed.

Advertisement. Scroll to continue reading.

“In AndroidManifest.xml, apps’ label names can be set in the “android:label” attribute of the element, and it can be written with a raw string, not only with the reference of the string resource,” Zhang blogged. “Normally, apps with very long raw string labels declared in AndroidManifest.xml cannot be installed, due to the Android Binder’s transaction buffer size limit. But through the ADB (Android Debug Bridge) interface, which is used by many third-party market clients, such apps can be installed–which, inevitably, causes an instant PackageManager service crash.”

The result is a chain reaction in which all other processes depending upon PackageManager will crash as well, leaving the device unusable. 

“As always, we advise users to never download apps from third-party app stores,” the Trend Micro researcher explained. “It’s important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices. Google has already been notified about the vulnerabilities but users should still take the necessary precautions in order to protect their mobile devices. Developers familiar with the use of the Android Debug Bridge can use this as well to remove problematic apps in question.”

Google was notified of the vulnerabilities. So far, it has not responded to a request for comment. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...