Feeds

Another day, another nasty Android vuln

Memory corruption mess can brick your mobe

Security and trust: The backbone of doing business over the internet

The security researcher who last year sucked thousands of IDs out of Apple's Developer Centre site has turned his gaze onto Android and turned up a bug that Trend Micro says is exploitable.

According to Ibrahim Balic, the bug causes memory corruption on Android 4.2.2 , 4.3 and 2.3 at least, but he suspects all Android versions may be affected.

That blog post, along with Balic's report that a malformed APK containing the bug crashed Google's Bouncer infrastructure, has now been confirmed in more – and better-written – detail by Trend Micro, here.

Trend writes: “We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include “bricking” a device, or rendering it unusable in any way. In this context, the device is “bricked” as it is trapped in an endless reboot loop.”

Balic writes that if an attacker sets appname in strings.xml to a value greater than 387,000 characters, the bug is triggered. Trend Micro provides more detail, saying that the attack triggers memory corruption in Android's WindowManager (used to control the placement and appearance of windows).

An attacker needs only conceal a hidden Activity label in a package, Trend Micro says, to brick the target. If the attacker were to create malware that auto-started on power-up, the user's only option would be to completely wipe the device via a boot loader recovery.

Trend says the problem goes beyond Balic's post:

“PackageManager and ActivityManager are also susceptible to a similar crashing vulnerability. The critical difference here is that the user’s device will crash immediately once the malicious exploit app is installed. Note that the exploit app in this case does not need any special permission.”

Google has been notified of the issue. ®

Protecting against web application threats using SSL

More from The Register

next story
Microsoft changes cert test providers, hints at fun new exams
If you really love taking tests with Prometric, do 'em before Christmas
Blighty's mighty tech skills shortage drives best job growth in years
Doesn't anyone know anything about SQL? Or Java? Or Linux? Or programming? Or...
Amazon hiring in Australia for 'new and confidential Amazon Fresh initiative'
Is Jeff Bezos moving his grocery business beyond the US West Coast?
Symantec security chap signs for CSIRO's ICT In Schools
Vulture South is closing in on our goal of 20 new recruits to help teachers and kids
A-level results: Before you smile at that jump-for-joy snap...
Uni-ditching teens are COMING FOR YOUR JOBS
How to promote CSIRO's ICT in Schools in your community
Vulture South is closing in on its target to find volunteers to help teach tech in schools
Everyone's an IoT expert but now there's a certificate to prove it
Cisco creates Certification of Things for industrial sensor-footlers
Facebook wants Linux networking as good as FreeBSD
Help The Social NetworkTM make the kernel better
LinkedIn settles missed overtime pay case: Will pay $6m to staffers
US Dept of Labor: It violated Fair Labor Standards Act
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.