A leading security firm has investigated reports of a crash vulnerability in Google’s Bouncer infrastructure affecting mobile devices and concluded the problem could be exploited by cybercriminals.
Trend Micro said the vulnerability puts devices using Android version 4.0 or later at risk.
"We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include 'bricking' a device, or rendering it unusable in any way. In this context, the device is “bricked” as it is trapped in an endless reboot loop,” Trend said in a blog post.
The company reiterated its standard advice when it comes to Android security “never download apps from third-party app stores. It’s important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices.”
Trend also said it has notified Google about the vulnerabilities, but users should take caution until the issue has been resolved.
What’s the problem?
The issue is that a crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window tile in Windows.
“If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place,” said Trend.
“Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.”
(Security and management of tablets will be among the key issues discussed in panel sessions at the upcoming Tablet Strategy conference in New York on May 6, 2014)