Android 4.4.2 fixes Class 0 SMS DoS vulnerability of Nexus devices

December 11, 2013

    Google Nexus 5 black aa 13

    Google patched in Android 4.4.2 a vulnerability that exposed Nexus devices to denial of service attacks based on a special type of text messages called Class 0 SMS.

    Security researcher Bogdan Alecu publicized the vulnerability in November, after supposedly informing Google about it more than a year ago. The issue affected only Nexus devices, regardless of the Android version, claimed Alecu, who didn’t find the problem on 20 non-Nexus devices that he tested.

    Class 0 SMS are special types of short messages that show directly on the screen of the recipient device, without entering the inbox. There are several apps in the Play Stores that allow the sending of such messages.

    Sending multiple Class 0 messages to a Nexus device could cause it to reboot, become unresponsive, or lose data and voice connectivity until the device was restarted.

    Alecu demoes the vulnerability in the video below.

    According to a changelog published by Android development company FunkyAndroid detailing the changes from Android 4.4.1 (KOT49E) to Android 4.4.2 (KOT49H), the vulnerability is fixed in the latest AOSP version of Android. From our brief testing, the problem seems to be indeed gone from an updated Nexus 5.

    The changelog reveals a few other problems fixed in Android 4.4.2:

    • Fix OOBE crash/DoS after receiving 0-byte WAP push
    • Reduce logging of flattened Preferences
    • Put fragment in specific activity’s whitelist

    In the official changelog of Android 4.4.2, Google listed “Security enhancements” as a change, which could include the Class 0 SMS vulnerability.

    Android 4.4.2 began to roll out on Monday. If you haven’t yet received it on your device, you can download the OTA zip files from here and sideload them relatively easily using our handy guide.


    • MadCowOnAStick

      im still 4.4…

      • Azeem

        Sideload the system image to your phone. It’s not that hard.

        • Arturo Raygoza

          I just spent 3 hours trying to “just sideload it” on Ubuntu after having to install the SDK for 64,bit some other codec from the app store on Ubuntu extensive googling and reading various android and Ubuntu forum.s comments and sites when Google could have saved me all that time in the first olace

          • Shark Bait

            You don’t need to install the apk, you can cheat and just download adb and fastboot ….

      • Arturo Raygoza

        me too

    • Me_

      Got the update yesterday, got a class 0 SMS message this morning :(