Feeds

Another day, another nasty Android vuln

Memory corruption mess can brick your mobe

Security for virtualized datacentres

The security researcher who last year sucked thousands of IDs out of Apple's Developer Centre site has turned his gaze onto Android and turned up a bug that Trend Micro says is exploitable.

According to Ibrahim Balic, the bug causes memory corruption on Android 4.2.2 , 4.3 and 2.3 at least, but he suspects all Android versions may be affected.

That blog post, along with Balic's report that a malformed APK containing the bug crashed Google's Bouncer infrastructure, has now been confirmed in more – and better-written – detail by Trend Micro, here.

Trend writes: “We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include “bricking” a device, or rendering it unusable in any way. In this context, the device is “bricked” as it is trapped in an endless reboot loop.”

Balic writes that if an attacker sets appname in strings.xml to a value greater than 387,000 characters, the bug is triggered. Trend Micro provides more detail, saying that the attack triggers memory corruption in Android's WindowManager (used to control the placement and appearance of windows).

An attacker needs only conceal a hidden Activity label in a package, Trend Micro says, to brick the target. If the attacker were to create malware that auto-started on power-up, the user's only option would be to completely wipe the device via a boot loader recovery.

Trend says the problem goes beyond Balic's post:

“PackageManager and ActivityManager are also susceptible to a similar crashing vulnerability. The critical difference here is that the user’s device will crash immediately once the malicious exploit app is installed. Note that the exploit app in this case does not need any special permission.”

Google has been notified of the issue. ®

Security for virtualized datacentres

More from The Register

next story
Looking for a job in Europe? Experienced IT staff needed in UK, Italy and Germany
New graduates need life skills, says Euro Commish report
‘For the love of Pete, America, learn about decent chocolate’
If that's your only gripe about a life in LA, lucky you!
IT JOB OUTSOURCING: Will it ever END?
Let's look at the economics behind it...
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Want to break Netflix? It'll pay you to do the job
'Senior Chaos Engineer' sought to inflict all sorts of nasty, nasty, pain
HOT BABES! Worried you won't get that JOB in IT? MENTION how hot you are
'Don't hate me 'cos I'm beautiful' ploy for sad honeys
Oracle to DBAs: your certification is about to become worthless paper
So hurry up and get a new one, will all of you who took exams for 10g and lower?
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.