14 DAY TRIAL // A couple of days ago, Google released the Android 4.4.2 KitKat update for Nexus devices. This update actually fixes the Flash SMS denial-of-service (DOS) vulnerability presented last month by a security researcher.
Bogdan Alecu, the researcher who uncovered and reported the security hole, has confirmed for Softpedia that the flaw has been addressed.
Google hasn’t mentioned anything about the fix. However, Funky Android describes one of the changes made in the latest version as “Android denial of service attack using class 0 SMS.”
The same Funky Android report also reveals that another crash/DOS vulnerability related to 0-byte WAP push messages has also been addressed in Android 4.4.2 KitKat.
Alecu found that an attacker could reboot Google Nexus devices by sending them around 30 Flash SMS messages.
He reported his findings to Google over 1 year ago. In July, the company said that a fix would be integrated into Android 4.3. However, since Google failed to keep its promise, the researcher decided to make his findings public at the DefCamp security conference that took place in Bucharest in late November.
Alecu and Michael Mueller have developed an Android application to protect devices against such attacks.
The story of this vulnerability became even more interesting a few days later, after Google decided to remove an application from the Play app market that could be used to send such Flash SMS messages.
The app, HushSMS, was also developed by Mueller, and it had been available on Google Play since February 2012. It was suddenly removed for policy violations.
Google has failed to respond to Softpedia’s inquiry regarding this curious timing. However, it’s clear that the search engine giant started taking the whole thing more seriously after the story made the press.