by Jason Gu and Seven Shen Just about anyone can appreciate a good old meme GIF every now and then, but what if one caused your Android Messages to crash? A denial-of-service vulnerability we recently disclosed to Google can do exactly that and more. Designated as CVE-2017-0780, we’ve confirmed it to be in the latest Nexus and Pixel devices. The security flaw can let attackers illicitly and remotely crash their victims’ Android Messages app by sending a malformed multimedia message (MMS). The app will also be incapable of recovering from the crash even if the device/system is rebooted or booted in safe mode. Impact Google’s Play Store boasts over 50 million installs of Android Messages. Given that it’s also the default messaging app (that is, it can’t be unloaded) of many Nexus and Pixel devices, the impact is indeed palpable to both end users and enterprises that use it. Businesses, for instance, can leverage Android Messages to improve how they communicate with customers. Users, too, can create more personalized messages without having to muddle through different apps. And considering how the app is being positioned as a seamless messaging service across various Android platforms, rendering the app unusable can adversely affect how Android users communicate. Additionally, the app’s inaccessibility can serve as a catalyst for potential attacks that device owners won't be able to see, delete or control. These attacks, for instance, can entail taking over the device’s SMS/MMS function, or sending and receiving malware-laden SMS messages that certain mobile threats are known to use. Technical Analysis The vulnerability involves many unhandled, Java-level Null Pointer Exceptions (NPEs) we found in the process of parsing Graphic Interface Format (GIF) files in the messaging app. Attackers exploiting this flaw need only a phone number to send the malicious GIF file to a potential victim.
Figure 1: FrameSequenceDrawable in Android MessagesAndroid Messages uses FrameSequenceDrawable to display the GIF file. FrameSequence first builds a bitmap object based on the GIF file, and then the framesequeceDrawable component uses this bitmap to display the GIF. We saw, however, that the acquireAndValidateBitmap function calls the method “acquireBitmap” in bitmap (comprising pixel data for an image file) without checking if it is valid. mobile devices become increasingly ubiquitous, it’s essential to adopt good security habits to mitigate, if not prevent, threats that may exploit flaws such as this. Be more prudent when receiving unsolicited, suspicious, and unknown messages and links, and regularly keep your device’s OS and its apps updated. Fortunately, the latest versions of Nexus and Pixel devices have the benefits of a more uniform or consistent rollout of patches. Updates on other Android devices are still fragmented, however, so users should contact their device’s manufacturer for their availability. For organizations, IT/system administrators should enforce stronger patch management policies to help improve the security of BYOD devices. We have disclosed this security issue to Google, who worked on a fix that was released in their Android Security Bulletin for September 2017 and deployed in Google Play. The patch entails properly catching the unhandled Java-level exception. Google has also added safety net logs to monitor any attacks exploiting this vulnerability in the wild. Trend Micro Solutions End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (also available on Google Play) secures data and privacy, safeguards devices from ransomware, fraudulent websites, and identity theft, as well as block malicious apps before they are installed. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.