Local DOS of AVIRA App

Report ID



  • Vendor: Avira
  • Product: Avira Antivirus Security for Android (
  • Affected Version: 4.2 , Platform Build version 5.0.1-1624448
  • Severity: low
  • Short summary:
    Installing a specially prepared app on a smartphone that additionally contains the AVIRA app, can result in a local denial of service of the AVIRA app.


A local denial of service attack (crash the Avira app) can be caused by sending an empty SMS broadcast. The command can look like:

am broadcast -a android.provider.Telephony.SMS_RECEIVED

This happens because of missing null value checks in the broadcast receiver class BLOnSmsBroadcastReceiver.

public void onReceive(Context arg7, Intent arg8) {
 Bundle v0 = arg8.getExtras(); <== //Problem
 if(v0 != null) {
 Object v0_1 = v0.get("pdus");

A malicious application can use this to crash the app and prevent the execution of the application. Newer Android Versions (since Lollipop) mitigate such null value broadcast, but in pre Lollipop versions it is possible to crash the app.


Suggested Mitigation

Please fix it.


  • 2015-10-10 Vulnerability Discovered
  • 2015-10-22 Vulnerability Reported
  • 2015-11-03 Vulnerability Fixed