Rogue apps could exploit Android vulnerability to brick devices, researchers warn

The only way to recover from such an attack involves wiping all user data from affected devices, researchers from Trend Micro said

A vulnerability in Android that was publicly disclosed in mid-March could be exploited by malicious applications to force devices into an endless reboot loop, according to security researchers from Trend Micro.

The vulnerability was originally reported on March 16 by a user named Ibrahim Balic who described it as a memory corruption bug that forces the Android OS to crash, leading to a denial-of-service condition.

The bug can be triggered by an application that contains a name string of over 387,000 characters, Balic said at the time, adding that he tried to upload one such application to Google Play and inadvertently crashed the service, making it unavailable to other developers for hours.

Researchers from security vendor Trend Micro have since analyzed the issue in more detail from a client-side perspective and confirmed that Android versions 4.0 and above are affected.

"We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include 'bricking' a device, or rendering it unusable in any way," they said Sunday in a blog post. "In this context, the device is 'bricked' as it is trapped in an endless reboot loop."

An attacker could exploit this vulnerability by tricking users into installing a maliciously crafted app that includes a large amount of data in an Activity label, the equivalent of the window title on Windows. For example, the app could include a legitimate Activity that's used by default and a hidden, malicious one that's triggered based on a timer to crash the device, the Trend Micro researchers said.

"An even worse case is when the malware is written to start automatically upon device startup," they said. "Doing so will trap the device in a rebooting loop, rendering it useless."

The only method to recover from such an attack would be to perform a factory reset from the bootloader options, but this implies deleting all user data and preferences stored on the device including contacts, photos and files, the Trend Micro researchers said.

Google did not immediately respond to a request for comment.

Even if the company detects apps that attempt to exploit this issue and prevents them from being uploaded on Google Play, which is likely after Balic's exploit in mid-March, attackers can still use other techniques to distribute malicious apps to users. This includes uploading them to third-party app stores that are popular in certain markets like China or Russia, using Windows malware to inject content into browsing sessions and advertise the rogue apps on trusted sites and using Windows malware to automatically install such apps on Android devices connected to infected computers.

In January security researchers from Symantec identified a Trojan program that tried to install mobile banking malware on Android devices connected to compromised computers by using the legitimate Android Debug Bridge (ADB) command line tool.

While investigating the risks associated with the vulnerability reported by Balic, the Trend Micro researchers identified a second flaw that can be used to crash Android's PackageManager and ActivityManager services.

When this happens, all other processes that depend upon PackageManager also crash, leaving the Android device completely unusable, the researchers said. Apps targeting this second vulnerability can't be installed through the regular Android user interface, but they can be deployed through ADB, which is used by many third-party market clients, they said.

Google has been notified about both vulnerabilities, but users should take the necessary precautions to protect their devices, the Trend Micro researchers said."It's important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices."

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecGoogletrend microsecuritymobile securityExploits / vulnerabilitiesmalware

More about GoogleSymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts