Android 4.4.2 fixes Class 0 SMS DoS vulnerability of Nexus devices

by: Bogdan PetrovanDecember 11, 2013

Google Nexus 5 black aa 13

Google patched in Android 4.4.2 a vulnerability that exposed Nexus devices to denial of service attacks based on a special type of text messages called Class 0 SMS.

Security researcher Bogdan Alecu publicized the vulnerability in November, after supposedly informing Google about it more than a year ago. The issue affected only Nexus devices, regardless of the Android version, claimed Alecu, who didn’t find the problem on 20 non-Nexus devices that he tested.

Class 0 SMS are special types of short messages that show directly on the screen of the recipient device, without entering the inbox. There are several apps in the Play Stores that allow the sending of such messages.

Sending multiple Class 0 messages to a Nexus device could cause it to reboot, become unresponsive, or lose data and voice connectivity until the device was restarted.

Alecu demoes the vulnerability in the video below.

According to a changelog published by Android development company FunkyAndroid detailing the changes from Android 4.4.1 (KOT49E) to Android 4.4.2 (KOT49H), the vulnerability is fixed in the latest AOSP version of Android. From our brief testing, the problem seems to be indeed gone from an updated Nexus 5.

The changelog reveals a few other problems fixed in Android 4.4.2:

  • Fix OOBE crash/DoS after receiving 0-byte WAP push
  • Reduce logging of flattened Preferences
  • Put fragment in specific activity’s whitelist

In the official changelog of Android 4.4.2, Google listed “Security enhancements” as a change, which could include the Class 0 SMS vulnerability.

Android 4.4.2 began to roll out on Monday. If you haven’t yet received it on your device, you can download the OTA zip files from here and sideload them relatively easily using our handy guide.

  • MadCowOnAStick

    im still 4.4…

    • Azeem

      Sideload the system image to your phone. It’s not that hard.

      • Arturo Raygoza

        I just spent 3 hours trying to “just sideload it” on Ubuntu after having to install the SDK for 64,bit some other codec from the app store on Ubuntu extensive googling and reading various android and Ubuntu forum.s comments and sites when Google could have saved me all that time in the first olace

        • Shark Bait

          You don’t need to install the apk, you can cheat and just download adb and fastboot ….

    • Arturo Raygoza

      me too

  • Me_

    Got the update yesterday, got a class 0 SMS message this morning :(