Android 4.4.2 changelog confirms SMS vulnerability fix

Google Android 4.4 KitKat

Google surprised many by quickly following up Android 4.4.1 with Android 4.4.2. We surmised at the time that Google found a bug serious enough to stop deploying version 4.4.1 and replace it with 4.4.2 before resuming the rollout. This has now been confirmed through the Android 4.4.2 changelog that shows differences between the two versions.

The KOT49H (4.4.2_r1) AOSP changelog was generated by the Funky Android team and shows the following changes:

  • 567ea11: Fix OOBE crash/DoS after receiving 0-byte WAP push.
  • 3574026: Reduce logging of flattened Preferences
  • d00f7cd: Android denial of service attack using class 0 SMS messages
  • 37f06a4: Put fragment in specific activity’s whitelist

As you can see from the list, one of the fixes, d00f7cd, fixes a class 0 SMS vulnerability found in Nexus smartphones. The bug allowed class 0 SMS messages which are different from regular SMS messages in that they pop up on the screen automatically to essentially stack up. With enough of these received and not dismissed, the phone would then start to behave erratically, most often simply rebooting.

The Android 4.4.2 rollout is in full swing now for Nexus devices and is available for recent Nexus devices including the Nexus 7 (2012 and 2013 editions), Nexus 4 and Nexus 5. If you have yet to receive it, you can also trigger a manual check via Settings -> About phone -> System Updates -> Check now. or even sideload it.

Sources : Funky Android // Phandroid