Skip to main content

Text-Message Barrage Can Crash Android Phones

A newly discovered vulnerability in Android devices could flood your phone with useless, unavoidable text messages, and render your phone temporarily unusable. Google's own Nexus line of products, unfettered by third-party carrier software, appear to be the most vulnerable devices.

Bogdan Alecu, a Romanian IT researcher, discovered the flaw and presented his findings at the DefCamp security conference in Bucharest on Nov. 29. By taking advantage of a protocol meant to share high-priority text messages, an interloper could turn a fully functional Android phone into a very expensive paperweight — at least until a system restart.

Here's how it works: Mobile devices (including Android systems) can communicate via a protocol called Short Message Service (SMS), which allows users to send short bursts of text to and from one another. In everyday life, this most often manifests itself in the form of text messages.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Android prioritizes different kinds of text messages, and the most urgent is called Class 0. The content in this type of message must be of life-or-death urgency (like a severe-weather warning or missing-child alert), as it will supersede all other phone functions, including phone calls.

By using software that allows a modified modem to send messages directly (without the aid of a computer or a mobile device), Alecu discovered that he could write anything he wanted and set it as a Class 0 message.

This discovery has the capacity to be troublesome on its own. Imagine being knocked off an important call to get a message saying "Hey!" or receiving an impending flood warning on a bright, sunny day. Worse still, someone could impersonate a government agency and spread hoax warnings.

Alecu's biggest find, however, concerned the number of Class 0 messages an Android device could receive. Receiving two messages at once taxes the system, but Alecu discovered that upon reaching 30 simultaneous Class 0 messages, an Android device locks up completely.

When faced with 30 Class 0 messages, an Android device running the 4.3 Jellybean operating system will stop the Messaging application entirely and reboot itself without any service. This means that if a phone is locked with a PIN, the device will be completely useless until a user manually reconnects it to the network.

Even though it's not the end of the world if you have to reconnect your phone to your carrier's network, unless you're the type who checks your phone compulsively, you could go hours without realizing that people have been trying to get in touch with you. This is not an ideal situation if, for example, you are a parent or a high-ranking military official.

Although Google is still addressing the issue (Alecu has confirmed that the vulnerability also exists in Android 4.4 KitKat), there is a workaround in the meantime. The free Class0Firewall app from Silent Services allows users to program how many Class 0 messages they can receive at once before their phones block further communications.

The odds of this happening are relatively slim, especially because a potential malefactor would need to acquire your phone number and have some insidious plan that relies on you not looking at your phone for a long period of time.

Nonetheless, it still represents a vulnerability, and you'll have to protect yourself until Google decides to patch it.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

  • jkhoward
    Well...

    I want to share this with everyone out there. I have also found this same bug on the iOS system awhile back but didn't want to share it with anyone because I didn't want apple to fix it. If you create a massive text message full of emojicons on the iPhone it will crash the phone that you send it to for a few minutes, hours, or it may require a restart. I have tried this on a few of my friends phones and it locked up a lot of them for a long period of time and required my friend to have to restore his 4S which is much slower then the 5, which is probably why it crashed. Go ahead and give it a shot and lets see a post about apple trying to fix this feature!

    iChat must be enabled..

    If you send this to a person without an iPhone or iChat you will cost them millions of dollars in text message fees.

    Have fun!(:
    Reply
  • jkhoward
    Double post.. my bad..
    Reply
  • okibrian
    Somehow I knew that if I found an article on Tom's with anything negative at all about Android I would find a post of someone trying to bring Apple into it. What do you know; it was the very first post. Misery loves company.
    Reply
  • jkhoward
    It isn't a post to say Apple is good. Not at all.. Apple sucks. I just thought this was the right time to share my findings.
    Reply
  • okibrian
    I got that you hate Apple. The point is you have to take to an article about a bug in Android to proclaim that Apple sucks.
    Reply
  • guanyu210379
    All software including OSs have bugs, iOS, Android, etc. face it! There is no bug-less software.
    No need to fight!
    Reply
  • okibrian
    All software does have bugs, no question about it. And people should man up, or women up, and just except that vise dragging others into it. Again, that was my point.
    Reply