Security researchers whispered they be inflicted with uncovered bugs in the sphere of Google's machine operating logic with the aim of may well allow malicious apps to throw vulnerable policy into a spiral of endlessly looping crashes and probably delete all data stored on them.
Apps with the aim of exploit the denial-of-service vulnerability bring about on machine versions 2.3, 4.2.2, 4.3, and probably many other releases of the operating logic, researcher Ibrahim Balic wrote in the sphere of a blog station in print only remaining week. Attackers may well exploit the underlying reminiscence corruption bug by defeat attack code in the sphere of an otherwise worthwhile or else legitimate app with the aim of is involuntary to befall triggered just afterward it is installed on a vulnerable handset. By heavy the machine "appname" theme with an really lingering price exceeding 387,000 font, the app can cause the device to move out into an endless succession of crashes.
"We believe with the aim of this vulnerability might befall used by cybercriminals to perform various large wound on machine smartphones and medicine, which include 'bricking' a device or else rendering it unusable in the sphere of slightly way," Veo Zhang, a portable threats analyst by Trend Micro, wrote in the sphere of a blog station in print Sunday. "In this context, the device is 'bricked' in the same way as it is trapped in the sphere of an endless reboot sphere."
Zhang whispered the attack machinery by entering hefty amounts of data into the bustle label, which is the machine equivalent of the Window title in the sphere of Microsoft Windows operating systems. In the same way as a consequence, attackers can create booby-trapped apps with the aim of be inflicted with the possibility to exploit the vulnerability. Zhang explained:
If a cybercriminal builds an app containing a hidden bustle with a hefty label, the user willpower be inflicted with rebuff purpose at all with the aim of this exploit is in the sphere of piece of evidence taking place. Cybercriminals can more conceal the exploit by setting a timed trigger event with the aim of stops the current app bustle and at that time opens the hidden bustle. Once the timed event is triggered, the exploit runs, and the logic member of staff serving at table crashes in the same way as a consequence. This stops all functionality of the portable device, and the logic willpower befall enforced to reboot.
An even worse task is once the malware is on paper to start without doubt in the lead device startup. Liability so willpower con the device in the sphere of a rebooting sphere, rendering it useless. In the sphere of this task, just a ankle boot loader recovery arrange willpower bring about, which income with the aim of all the in a row (contacts, photos, collection, and the like.) stored inside the device willpower befall erased.
Interestingly, Balic whispered with the aim of his exploit appeared to trigger a denial-of-service condition on Bouncer, the cloud-based scanner with the aim of scours the executive Google sport app marketplace in lieu of malicious titles. He based his observation of the performance of sport shortly afterward uploading a proof-of-concept exploit to Google servers to understand if Bouncer would detect the malicious behavior.
"Then I realized with the aim of it caused denial of service on Google sport," he wrote. "Because I ongoing to follow various errors from Google sport! Afterward various google-ing, I understand with the aim of many community couldn't upload their apps to Google sport in my test! I think it was probably for the reason that of trying my [proof-of-concept] exploit on Google sport." On Monday, Balic whispered Bouncer remains vulnerable still.
Trend Micro warned with the aim of attacks be inflicted with the possibility to erase all of the data stored on a vulnerable device if they force victims to go a testing factory reset while a device is cycling through a succession of automatic reboots.
Tags : Malicious , app, Android , phone
没有评论:
发表评论