A team of Italian researchers has discovered and patched a Denial of Service (DoS) vulnerability in the Android operating system which could allow attackers to render a device “totally unresponsive”.
An exploiting application targets the Zygote socket in the OS’ Linux layer by forcing the system to fork, thereby flooding it with a large number of requests for dummy processes and using up all of the device’s memory resources.
Using the DoSChecker application, low memory devices, like the Optimus One, crashed within a minute, while the Galaxy Tab last two. The team noted that while the DoS attack was occurring “users experience a progressive reduction of the system responsiveness that ends with the system crash and reboot.”
After the device crashes, it attempts to reboot, but the researchers note that a genuine attacker could engineer malware to run DoSChecker as a boot service, forcing the device to continually crash and reboot. The fix for this situation would the user to manually detect and uninstall the offending application with an abd tool or by reflashing the device.
In addition to the older versions of Android, the researchers tested versions 4.0 and 4.0.3 using emulated devices, achieving the same results.
Two countermeasures against the vulnerability are suggested:
“1. Zygote process fix. This fix consists of checking whether the fork request to the Zygote process comes from a legal source (at present, only the System server, although our patch is trivially adaptable to future developments).
“2. Zygote socket fix. This fix restricts the permissions on the Zygote socket at the Linux layer.”
Both countermeasures are described as functional in the emulator and on the actual devices and the researchers have reported the exploit and fixes to the Android security team.
The Next Web reports that due to the potentially huge danger presented by the vulnerability, Google will be using one of the fixes laid out in the paper as part of the next Android update.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…