SIK-2016-006

Title:

Local DOS of AVIRA App

Report ID

SIK-2016-006

Summary:

Vendor: Avira
Product: Avira Antivirus Security for Android (https://play.google.com/store/apps/details?id=com.avira.android)
Affected Version: 4.2 , Platform Build version 5.0.1-1624448
Severity: low
Short summary:
Installing a specially prepared app on a smartphone that additionally contains the AVIRA app, can result in a local denial of service of the AVIRA app.

Details:

A local denial of service attack (crash the Avira app) can be caused by sending an empty SMS broadcast. The command can look like:

am broadcast -a android.provider.Telephony.SMS_RECEIVED

This happens because of missing null value checks in the broadcast receiver class BLOnSmsBroadcastReceiver.

public void onReceive(Context arg7, Intent arg8) {
 Bundle v0 = arg8.getExtras(); <== //Problem
 if(v0 != null) {
 Object v0_1 = v0.get("pdus");

A malicious application can use this to crash the app and prevent the execution of the application. Newer Android Versions (since Lollipop) mitigate such null value broadcast, but in pre Lollipop versions it is possible to crash the app.

Workaround

–

Suggested Mitigation

Please fix it.

Timeline

2015-10-10 Vulnerability Discovered
2015-10-22 Vulnerability Reported
2015-11-03 Vulnerability Fixed