More details have emerged about a Google Android vulnerability that could be exploited to trap devices in a reboot loop.
The vulnerability was publicly disclosed earlier this month by researcher Ibrahim Balic, which he referred to as a memory corruption bug. According to Balic, the bug can be triggered if the application’s ‘appname’ field has a value greater than 387,000 characters. In addition, the situation also caused a denial-of-service condition on Google Play after Balic uploaded his malformed APK as a test.
“We believe this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets,” blogged Trend Micro Mobile Threats Analyst Veo Zhang. “The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider “bricking” it.”
The issue appears to affect Android OS versions 4.0 and higher. Trend Micro’s analysis shows the first crash is caused by the memory corruption in WindowManager, the interface that applications use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows, Zhang blogged.
“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place,” Zhang explained. “Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.”
“An even worse case is when the malware is written to start automatically upon device startup,” Zhang continued. “Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.”
Additional research by Trend Micro has uncovered another issue apart from the WindowManager service. According to Trend Micro, PackageManager and ActivityManager are also susceptible to a similar situation. The difference is that the user’s device will crash immediately when the malicious app is installed.
“In AndroidManifest.xml, apps’ label names can be set in the “android:label” attribute of the element, and it can be written with a raw string, not only with the reference of the string resource,” Zhang blogged. “Normally, apps with very long raw string labels declared in AndroidManifest.xml cannot be installed, due to the Android Binder’s transaction buffer size limit. But through the ADB (Android Debug Bridge) interface, which is used by many third-party market clients, such apps can be installed–which, inevitably, causes an instant PackageManager service crash.”
The result is a chain reaction in which all other processes depending upon PackageManager will crash as well, leaving the device unusable.
“As always, we advise users to never download apps from third-party app stores,” the Trend Micro researcher explained. “It’s important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices. Google has already been notified about the vulnerabilities but users should still take the necessary precautions in order to protect their mobile devices. Developers familiar with the use of the Android Debug Bridge can use this as well to remove problematic apps in question.”
Google was notified of the vulnerabilities. So far, it has not responded to a request for comment.
