Android bug that crashed Google Play can brick devices too

Attackers could use a recently-revealed flaw to disable their target's device and destroy their data.

Cybercriminals might be more interested in stealing a victim's data than bricking their smartphone, but a newly-discovered bug in Android could potentially allow them to do just that.

The flaw, which affects Android 4.0 and upwards, was reported by London-based researcher Ibrahim Balic on earlier this month as a memory corruption bug, which allows a malformed APK file to force Android OS to crash.

According to Balic, the bug can be triggered by setting the application name parameter ('appname') to greater than 387,000 characters. Besides crashing Android devices, shortly after Balic uploaded his proof of concept exploit file to Google Play to test it against Google's Bouncer, hundreds of developers reported being unable to upload their apps to Google's marketplace for several hours, suggesting to Balic that it also caused a denial of service there.

A further analysis released yesterday by Trend Micro highlights that Balic's exploit can cause several Android device services to crash, including WindowsManager, PackageManager and ActivityManager, making it a potentially valuable tool for cybercriminals.

"We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets. The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider 'bricking' it," Trend Micro's mobile threat analyst Veo Zhang said.

According to Zhang, Balic's exploit involved entering large amounts of data into the Activity label, which is the equivalent of the window tile in Windows. 

The avenue that Balic used to insert an oversized name was AndroidManifest.xml, an Android element which allows developers to, for example, change an existing app's name without creating an entirely new project.

According to Zhang, it wouldn't be possible to set an app name to a string as large as Balic had done were it not for a commonly used tool known as Android Debug Bridge.

"In AndroidManifest.xml, apps' label names can be set in the "android:label" attribute of the element, and it can be written with a raw string, not only with the reference of the string resource. Normally, apps with very long raw string labels declared in AndroidManifest.xml cannot be installed, due to the Android Binder's transaction buffer size limit. But through the ADB (Android Debug Bridge) interface, which is used by many third-party market clients, such apps can be installed–which, inevitably, causes an instant PackageManager service crash."

As far as the potential for cybercriminals to exploit the vulnerability goes, Zhang points out that they could build an app containing a hidden Activity with a large label that exploits and crashes the devices when it is running. In this case, it will cause the device to crash and reboot.

The worst case scenario, however, is when the malware is written to start automatically upon device startup.

"Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased," Zhang said.

ZDNet has asked Google for comment and will update the story if it receives one. 

According to Trend Micro, Google has been notified of the vulnerability. 

Read more on Android security

Show Comments