Android ‘Cupcake’ Vulnerabilities Get Patched

Microsoft and T-Mobile aren’t the only mobile vendors moving to cope with some unexpected headaches: Google has patched two bugs in version 1.5 of its mobile open source platform, Android.

The software version, codenamed Cupcake, faced two vulnerabilities that could have led to denial-of-service (DoS) attacks, according to researchers at the Open Source Computer Emergency Response Team (oCERT).

One of the vulnerabilities involved Android’s SMS management, according to an advisory released by oCERT earlier this week. The flaw allows an attacker to use WAP (Wireless Application Protocol) push messages to disconnect a mobile phone from a cellular network. WAP push messages are typically used to send ringtones, wallpaper and other content to mobile users.

A maliciously coded WAP message can cause the smartphone to reboot without the user’s knowledge, which can lead to a temporary loss of connectivity and dropped calls, according to oCERT.

In cases where the phone’s SIM (subscriber identity module) is protected by a PIN, users will need to re-enter the PIN to re-establish connectivity, causing longer delays. If the bug is triggered repeatedly, it could result in a denial-of-service condition, oCERT said.

The other DoS vulnerability relied on the API for Android’s Dalvik virtual machine.

“A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition,” oCERT said in its warning.

The advisories came out last week after Google issued patches addressing both problems.

The fixes come as Cupcake is being supplanted by version 1.6 of the open source mobile OS. The newer edition, dubbed Donut, is being rolled out slowly in the U.S. by T-Mobile to its Android users.

The Donut update is expected to bring several significant enhancements to the OS. It also coincides with a makeover of the Android Market, the online store for mobile apps based on the software.