A vulnerability in Android that was publicly disclosed in mid-March could be exploited by malicious applications to force devices into an endless reboot loop, according to security researchers from Trend Micro.
The vulnerability was originally reported on March 16 by a user named Ibrahim Balic who described it as a memory corruption bug that forces the Android OS to crash, leading to a denial-of-service condition.
The bug can be triggered by an application that contains a name string of over 387,000 characters, Balic said at the time, adding that he tried to upload one such application to Google Play and inadvertently crashed the service, making it unavailable to other developers for hours.
Researchers from security vendor Trend Micro have since analyzed the issue in more detail from a client-side perspective and confirmed that Android versions 4.0 and above are affected.
"We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include 'bricking' a device, or rendering it unusable in any way," they said Sunday in a blog post. "In this context, the device is 'bricked' as it is trapped in an endless reboot loop."
An attacker could exploit this vulnerability by tricking users into installing a maliciously crafted app that includes a large amount of data in an Activity label, the equivalent of the window title on Windows. For example, the app could include a legitimate Activity that's used by default and a hidden, malicious one that's triggered based on a timer to crash the device, the Trend Micro researchers said.
"An even worse case is when the malware is written to start automatically upon device startup," they said. "Doing so will trap the device in a rebooting loop, rendering it useless."
The only method to recover from such an attack would be to perform a factory reset from the bootloader options, but this implies deleting all user data and preferences stored on the device including contacts, photos and files, the Trend Micro researchers said.
Google did not immediately respond to a request for comment.
Even if the company detects apps that attempt to exploit this issue and prevents them from being uploaded on Google Play, which is likely after Balic's exploit in mid-March, attackers can still use other techniques to distribute malicious apps to users. This includes uploading them to third-party app stores that are popular in certain markets like China or Russia, using Windows malware to inject content into browsing sessions and advertise the rogue apps on trusted sites and using Windows malware to automatically install such apps on Android devices connected to infected computers.
Sign up for CIO Asia eNewsletters.