Text-Message Barrage Can Crash Android Phones

A newly discovered vulnerability in Android devices could flood your phone with useless, unavoidable text messages, and render your phone temporarily unusable. Google's own Nexus line of products, unfettered by third-party carrier software, appear to be the most vulnerable devices.

Bogdan Alecu, a Romanian IT researcher, discovered the flaw and presented his findings at the DefCamp security conference in Bucharest on Nov. 29. By taking advantage of a protocol meant to share high-priority text messages, an interloper could turn a fully functional Android phone into a very expensive paperweight — at least until a system restart.

Here's how it works: Mobile devices (including Android systems) can communicate via a protocol called Short Message Service (SMS), which allows users to send short bursts of text to and from one another. In everyday life, this most often manifests itself in the form of text messages.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Android prioritizes different kinds of text messages, and the most urgent is called Class 0. The content in this type of message must be of life-or-death urgency (like a severe-weather warning or missing-child alert), as it will supersede all other phone functions, including phone calls.

By using software that allows a modified modem to send messages directly (without the aid of a computer or a mobile device), Alecu discovered that he could write anything he wanted and set it as a Class 0 message.

This discovery has the capacity to be troublesome on its own. Imagine being knocked off an important call to get a message saying "Hey!" or receiving an impending flood warning on a bright, sunny day. Worse still, someone could impersonate a government agency and spread hoax warnings.

Alecu's biggest find, however, concerned the number of Class 0 messages an Android device could receive. Receiving two messages at once taxes the system, but Alecu discovered that upon reaching 30 simultaneous Class 0 messages, an Android device locks up completely.

When faced with 30 Class 0 messages, an Android device running the 4.3 Jellybean operating system will stop the Messaging application entirely and reboot itself without any service. This means that if a phone is locked with a PIN, the device will be completely useless until a user manually reconnects it to the network.

Even though it's not the end of the world if you have to reconnect your phone to your carrier's network, unless you're the type who checks your phone compulsively, you could go hours without realizing that people have been trying to get in touch with you. This is not an ideal situation if, for example, you are a parent or a high-ranking military official.

Although Google is still addressing the issue (Alecu has confirmed that the vulnerability also exists in Android 4.4 KitKat), there is a workaround in the meantime. The free Class0Firewall app from Silent Services allows users to program how many Class 0 messages they can receive at once before their phones block further communications.

The odds of this happening are relatively slim, especially because a potential malefactor would need to acquire your phone number and have some insidious plan that relies on you not looking at your phone for a long period of time.

Nonetheless, it still represents a vulnerability, and you'll have to protect yourself until Google decides to patch it.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.