Google patched in Android 4.4.2 a vulnerability that exposed Nexus devices to denial of service attacks based on a special type of text messages called Class 0 SMS.
Security researcher Bogdan Alecu publicized the vulnerability in November, after supposedly informing Google about it more than a year ago. The issue affected only Nexus devices, regardless of the Android version, claimed Alecu, who didn’t find the problem on 20 non-Nexus devices that he tested.
Class 0 SMS are special types of short messages that show directly on the screen of the recipient device, without entering the inbox. There are several apps in the Play Stores that allow the sending of such messages.
Sending multiple Class 0 messages to a Nexus device could cause it to reboot, become unresponsive, or lose data and voice connectivity until the device was restarted.
Alecu demoes the vulnerability in the video below.
According to a changelog published by Android development company FunkyAndroid detailing the changes from Android 4.4.1 (KOT49E) to Android 4.4.2 (KOT49H), the vulnerability is fixed in the latest AOSP version of Android. From our brief testing, the problem seems to be indeed gone from an updated Nexus 5.
The changelog reveals a few other problems fixed in Android 4.4.2:
- Fix OOBE crash/DoS after receiving 0-byte WAP push
- Reduce logging of flattened Preferences
- Put fragment in specific activity’s whitelist
In the official changelog of Android 4.4.2, Google listed “Security enhancements” as a change, which could include the Class 0 SMS vulnerability.