CVE-2019-2232 would allow permanent DOS attacks against Android smartphones

We’re getting closer and closer to the end of a year marked by the presence of multiple vulnerabilities affecting the Android operating system and, although most of these errors do not pose greater risks to users, there are some dangerous exceptions. Vulnerability testing specialists mention that three security flaws were revealed in the December Android Security Bulletin; one of these errors is considered critical, as using a malicious message could cause a permanent denial of service (DoS) condition.  

The update to fix these bugs is already available, the bad news is that not all Android devices will be able to be upgraded to this latest version of the operating system, plus not all users receive the update at the same time.

The last few weeks have been somewhat daunting in terms of security for Android users. Recently it was reported a vulnerability that, if exploited, would allow a threat actor to take control over a device remotely to activate the camera and microphone and collect information from the victim. Hundreds of thousands, or even millions of Android users remained exposed to this flaw until it was corrected, as mentioned by vulnerability testing specialists.

Subsequently, it was revealed that an update to Rich Communication Services (RCS) could expose some Android users to exploiting the “StrandHogg” vulnerability, which could give malicious users access to text messages and media content in addition to the ability to extract user login credentials.

A total of three vulnerabilities were reported in the December Android Security Bulletin, among which CVE-2019-2232 stands out as the most dangerous, mentioning that incorrect validation of “handleRun” could lead to the application shut down.

Explained in another way, using a specially crafted message, a threat actor could generate a permanent denial of service (DoS) condition on a vulnerable Android device, which could lead to the destruction of all systems on the device. As if that weren’t enough, the attack requires minimal user interaction, plus hackers don’t need additional execution privileges. The vulnerability affects Android versions 8, 8.1, 9 and 10.

However, it is not all bad news, as Google announced that fixes for CVE-2019-2232 and the other two vulnerabilities found in the operating system are already available in the Android Open Source Project (AOSP) repository.

The biggest setback is that not all Android users will receive the update, plus the availability of these fixes depends on the device manufacturer, vulnerability testing specialists mention. Google Pixel users will have updates before users of any other company.

Users of the most recently released third-party devices, such as the new Samsung Galaxy, will also be able to access these fixes shortly, while some older device users may not receive any updates.

In case your device does not receive this set of updates, vulnerability teting specialists from the International Institute of Cyber Security (IICS) mention that the best alternative is to try to acquire a newer model, because a Even though older Android devices won’t stop working, it’s important to be protected against the latest mobile security threats.