by Jason Gu and Seven Shen
Just about anyone can appreciate a good old meme GIF every now and then, but what if one caused your Android Messages to crash?
A denial-of-service vulnerability we recently disclosed to Google can do exactly that and more. Designated as CVE-2017-0780, we’ve confirmed it to be in the latest Nexus and Pixel devices. The security flaw can let attackers illicitly and remotely crash their victims’ Android Messages app by sending a malformed multimedia message (MMS). The app will also be incapable of recovering from the crash even if the device/system is rebooted or booted in safe mode.
Google’s Play Store boasts over 50 million installs of Android Messages. Given that it’s also the default messaging app (that is, it can’t be unloaded) of many Nexus and Pixel devices, the impact is indeed palpable to both end users and enterprises that use it.
Businesses, for instance, can leverage Android Messages to improve how they communicate with customers. Users, too, can create more personalized messages without having to muddle through different apps. And considering how the app is being positioned as a seamless messaging service across various Android platforms, rendering the app unusable can adversely affect how Android users communicate.
Additionally, the app’s inaccessibility can serve as a catalyst for potential attacks that device owners won’t be able to see, delete or control. These attacks, for instance, can entail taking over the device’s SMS/MMS function, or sending and receiving malware-laden SMS messages that certain mobile threats are known to use.
The vulnerability involves many unhandled, Java-level Null Pointer Exceptions (NPEs) we found in the process of parsing Graphic Interface Format (GIF) files in the messaging app. Attackers exploiting this flaw need only a phone number to send the malicious GIF file to a potential victim.
Figure 1: FrameSequenceDrawable in Android Messages
Android Messages uses FrameSequenceDrawable to display the GIF file. FrameSequence first builds a bitmap object based on the GIF file, and then the framesequeceDrawable component uses this bitmap to display the GIF. We saw, however, that the acquireAndValidateBitmap function calls the method “acquireBitmap” in bitmap (comprising pixel data for an image file) without checking if it is valid.
When FrameSequence tries to build bitmap from a malformed GIF, we saw the “acquireBitmap” function can fail and return a null. Thus, if another module/component or variable references this null object, an NPE will be triggered.
Unfortunately, both Android OS and the Android Messages app do not handle this exception. This results in the messaging app crashing while parsing a malformed GIF payload in the MMS.
Users can opt to reflash their device or reset it to its factory settings. This will remove the malicious GIF file, along with all the other files stored in the device. Users need to weigh the risks—or consider backing up the files first—before reflashing or resetting the phone. Unfortunately, uninstalling and reinstalling the app won’t be able to fix it.
Another way to mitigate attacks exploiting this vulnerability is to manually disable the “auto-download MMS” feature of Android Messages. An alternative is to use an unaffected messaging app to remove the malicious MMS file manually.
As mobile devices become increasingly ubiquitous, it’s essential to adopt good security habits to mitigate, if not prevent, threats that may exploit flaws such as this. Be more prudent when receiving unsolicited, suspicious, and unknown messages and links, and regularly keep your device’s OS and its apps updated.
Fortunately, the latest versions of Nexus and Pixel devices have the benefits of a more uniform or consistent rollout of patches. Updates on other Android devices are still fragmented, however, so users should contact their device’s manufacturer for their availability. For organizations, IT/system administrators should enforce stronger patch management policies to help improve the security of BYOD devices.
We have disclosed this security issue to Google, who worked on a fix that was released in their Android Security Bulletin for September 2017 and deployed in Google Play. The patch entails properly catching the unhandled Java-level exception. Google has also added safety net logs to monitor any attacks exploiting this vulnerability in the wild.
Trend Micro Solutions
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (also available on Google Play) secures data and privacy, safeguards devices from ransomware, fraudulent websites, and identity theft, as well as block malicious apps before they are installed.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.