Security researchers said they have uncovered bugs in Google's Android operating system that could allow malicious apps to send vulnerable devices into a spiral of endlessly looping crashes and possibly delete all data stored on them.
Apps that exploit the denial-of-service vulnerability work on Android versions 2.3, 4.2.2, 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post published last week. Attackers could exploit the underlying memory corruption bug by hiding attack code in an otherwise useful or legitimate app that is programmed to be triggered only after it is installed on a vulnerable handset. By filling the Android "appname" field with an extremely long value exceeding 387,000 characters, the app can cause the device to go into an endless series of crashes.
"We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include 'bricking' a device or rendering it unusable in any way," Veo Zhang, a mobile threats analyst at Trend Micro, wrote in a blog post published Sunday. "In this context, the device is 'bricked' as it is trapped in an endless reboot loop."