Android bug can push devices into an endless reboot loop

A Proof-of-Concept app exploiting a recently discovered Android vulnerability that triggers the continuous rebooting of an affected device was apparently also behind the recent DoS attack on Google Play.

Speculations about the reason behind this latter event have been started by independent researcher Ibrahim Balic, the creator of the PoC app.

According to Balic, the vulnerability in question can be exploited via apps that have been equipped with an extremely long value (387,000 characters+ characters) inserted into the “appname” field in strings.xml

The existence of the flaw has been confirmed by Trend Micro researchers, and has been explained thusly:

Our analysis shows that the first crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows.

If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place. Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.

An even worse case is when the malware is written to start automatically upon device startup. Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.

The flaw apparently affects mobile devices with Android OS versions 4.0 and above.

Balic has reported the vulnerability to Googe but, by his own admission, couldn’t resist testing whether his PoC app will be recognized as malicious by Google’s Bouncer, so he uploaded it to Google Play.

He believes that the app has thrown Bouncer for a loop (figuratively and literally), and was the reason that other developers haven’t been able to upload their APPs to Google Play for a short period of time.