With all of the hype around mobile threats these days, sometimes it’s hard for the average reader to separate the actual risk to their organization from the hype. This week a research article was posted that described a vulnerability in Android that could allow an attacker to crash targeted devices that install infected applications. The researchers claim that, “We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets. The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider ‘bricking’ it.”
This phrase has caused media headlines like “Malicious apps can hose Android phones, erase data, researchers warn“, “Rogue apps could exploit Android vulnerability to brick devices, researchers warn”, and “Android bug that crashed Google Play can brick devices too.”
These headlines are obviously targeted at getting the reader’s attention, but in a world where people may only read the headline they can be quite misleading. First, there is absolutely no evidence that this vulnerability can erase user data. This claim refers to the researcher’s article stating that in order to recover from a particular variety of this attack a user would need to reset their device, which would “run the risk” of deleting user data. Furthermore this variation of the attack would require a user to install via ADB (android debug bridge) which most users are unaware of, only affects third-party app stores, and is a very uncommon installation method for average user. The claim that this vulnerability can “brick” devices appears to also be taken a bit out of context. While this vulnerability could leave the device temporarily unusable, a power user or administrator could restore the device.
Although it’s true that this vulnerability is capable of crashing Android mobile devices, it’s important to point out that at this time there are no known instances or infections of this particular vulnerability “in the wild.” Mobile malware distributors are typically motivated by money and information, and are therefore unlikely to use their established distribution channels to disseminate malware that simply crashes the device and doesn’t gain them anything. If this vulnerability was used in the wild, it would most likely be used as a targeted denial of service by “hacktivist” type actors who are motivated by a sense of social or moral justice. In the stretch scenarios, this type of vulnerability could be used in combination with other types of schemes such as extortion or a “kill-switch.”
This vulnerability was discovered and subsequently disclosed by an independent security researcher, Ibrahim Balic. Using a common technique to look for vulnerabilities called “fuzzing,” Ibrahim discovered that inserting large amount of data into certain fields caused memory corruption and as a result the Android OS crashed.
As mobile threat researchers we can say with certainty that the threats for mobile devices are many, present significant risk to individuals and organizations, and are quite varied. When faced with a daily deluge of mobile attacks it’s sometimes easy to get overwhelmed, or to get the sense that the sky is falling.
We believe that it’s important to move past the hype and understand the actual risk that the threat poses. In this case there are no known cases in the wild, so the threat of infection is very low. The impact of this type of infection would be a temporary denial of service, something most organizations would consider low (when compared to more serious impacts). The risk of data loss is very low, and the risk of data disclosure is zero. Overall we believe that most would consider this to be a very low threat to their organization. It is important to understand this threat, but it does not pose a significant threat to most enterprise organizations.
Users can protect themselves from this vulnerability by only downloading apps from trusted sources, and by using a mobile security solution to protect against downloading this type of malware from any source.