Two New Android Bugs Mess up Messaging; May Lead to Multiple Send Charges

Two newly discovered Android vulnerabilities can potentially be used to mess up specific messaging functions in phones and tablets. The first, designated as CVE-2015-3839, may allow attackers to insert malicious messages in the system messaging app and cause it to crash, thus blocking users from sending or receiving messages. Meanwhile, the second flaw, designated as CVE-2015-3840, allows attackers to tamper with the sent/received statuses of SMS and MMS messages, may lead to multiple send charges for users.

Unlike the recently disclosed “Stagefright” and a couple of other vulnerabilities targeting the mediaserver component in Android, the two new bugs deviate by targeting messaging components instead. Both flaws can be exploited in all Android versions, including the latest Android 5.1.1 Lollipop, but directly affects the plain Vanilla Android version more. (Vanilla Android here refers to the pure, non-customized OEM version of Android, the one directly coming from Google.) This is because the “pure” Vanilla OS typically still uses the original messaging app which these vulnerabilities target, as opposed to non-Vanilla Android versions which have probably been upgraded to use customized or alternate messaging apps.

We have reported both vulnerabilities to Google and they have included our suggested patches to address the bugs. Both vulnerabilities are assigned with a low severity rating. We are continually monitoring for possible attacks.

CVE-2015-3839 Helps Crash Messaging App

This bug is a slightly more focused version of the previously reported Android vulnerability that traps phones in endless reboots. Similar to the Android mediaserver bug, attackers can exploit CVE-2015-3839 by tricking users into installing a malicious app without any permission required. The difference is this bug may allow attackers to perform a Denial-of-Service (DoS) attack only on the messaging app and not the whole device. As a result, users can’t send or receive messages using the messaging app.

This flaw originates from a null pointer exception (NPE) when updating the message status. Android devices use the “updateMessageStatus” function after sending text messages to update the status of the message in the SMS-STATUS-REPORT PDU (Protocol Data Unit) format. However, there are pieces of code in this function that do not properly handle exceptions, allowing attackers an opening to crash the messaging app.

Figure 1. Piece of code that can not handle exceptions

To do this, attackers would have to bypass the null checking part in the “updateMessageStatus” function. They can do this by getting the “createfromPdu” function, which is used to parse incoming PDUs and store the message object, to return a new “smsMessage” object. This function does not validate the message object “wrappedMessage” and always returns with a new “SmsMessage” object for both the 3GPP (GSM) and 3GPP2 (CDMA) formats.

Figure 2. “createfromPDU” function that returns with a new “SmsMessage” object

This will definitely bypass the null checking part in “updateMessageStatus”. However, if the “wrappedMessage” happens to be null, invoking “getStatus” can also cause a “NullPointerException” error. Since the caller function “updateMessageStatus” does not handle exceptions, the whole app will crash and be terminated.

Figure 3. Crash stack of NullPointerException in com.android.mms

Attackers need only insert malicious PDUs to cause a “NullPointerException” error. We have done this by injecting a simple malicious PDU to “MessageStatusService”:

//Malicious PDU in bytes

{00, 02, 00, 02, D0, 65, 61, 60, 80, 90, 25, 12, 23, 61, 60, 80, 01, 25, 12, 23, 00, FF};

The following demo videos show how this can be done on Android 4.4.4 and 5.1.1 :

CVE-2015-3839 Proof-of-concept attack on an Android 4.4.4 device

CVE-2015-3839 Proof-of-concept attack on an Android 5.1.1 emulator

CVE-2015-3840 Allows for Tampering, May Lead to Multiple Send Charges

This bug can be exploited to modify SMS/MMS without the according “WRITE_SMS” permission required. Attackers may use an unprivileged, malicious app to a privilege escalation attack to the Android security model to modify the received status and date of SMS/MMS.

The flaw originates from a vulnerable “MessageStatusReceiver” service in the AndroidManifest.XML file. This service triggers message status updates according to the incoming SMS-STATUS-REPORT PDU. Since it has neither permission protection nor intent protection, it allows any unprivileged third-party app to send fake broadcasts and compromise SMS/MMS data.

<receiver android:name=”.transaction.MessageStatusReceiver”> <intent-filter> <action android:name=”com.android.mms.transaction.MessageStatusReceiver.MESSAGE_STATUS_RECEIVED” /> </intent-filter> </receiver

Vulnerable receiver that can be compromised to update message status

As a result, attackers can tamper with a received message and tag it as “unsuccessful,” possibly tricking the user into resending the message. In a worst-case where the attackers use a malicious app to monitor and modify conversations, they can have the users continually send messages to a premium service number and charge the users for it.

To exploit this vulnerability, we injected the following malicious PDU and broadcasted it to the vulnerable receiver:

Inject malicious PDU to mark SMS status as received

// malicious PDU in bytes

{00, 02, 00, 02, D0, 65, 61, 60, 80, 90, 25, 12, 23, 61, 60, 80, 01, 25, 12, 23, 00}

Inject malicious PDU to mark SMS status as unsuccessful

// malicious PDU in bytes

{00, 02, 00, 02, D0, 75, 71, 60, 80, 70, 42, 34, 56, 61, 60, 80, 01, 25, 14, 15, 40}

The following demo videos show how this can be done on Android 4.4.4 and 5.1.1 :

CVE-2015-3840 Proof-of-concept attack on Android 4.4.4 device

CVE-2015-3840 Proof-of-concept attack on Android 5.1.1 emulator

Recommendations

Android device patching is typically fragmented, and so, end users should consider using alternate messaging apps while patches are underway. Installing mobile protection solutions that block this specific threat should also be considered.

Trend Micro covers end users with solutions that detect the attack and protect from this vulnerability. Trend Micro™ Mobile Security and the cloud-based Mobile App reputation Service will detect malware that may attack CVE-2015-3839 as AndroidOS_MsgDoS.A and CVE-2015-3840 as AndroidOS_MsgCrack.A.

Disclosure Timeline

This vulnerability was disclosed to Google, with details outlined below:

June 4: We disclosed detailed reports to Google.
June 7: Google confirmed the issue and assigned CVE-2015-3839 and CVE-2015-3840.
July 20: We provided Google with code that would remedy the vulnerability.
Aug 7: Google accepted the patches and merged them into the AOSP master branch.