My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets




PendingIntent—is a vulnerability in the account management’s subsystem of applications running on Google Android devices (versions prior to 5.0). If an Android application uses authentication for any Internet service, a separate account registration mechanism can be implemented for this application in the system section "Settings—Accounts". The user needs to enter their account details only once. Next time the authentication is required, the application can refer directly to the "Settings—Accounts" section. While account is registered, the operating system sends the parameters entered by the user to the application. The special PendingIntent field is among those parameters. Due to an error in the src/com/android/settings/accounts/ component, the system does not check the value of the transferred field, while the PendingIntent field has system privileges in the Android operating system. Theoretically, this vulnerability allows cybercriminals to send any command as the PendingIntent’s parameter value, for example, the command to destroy all data on the attacked mobile device. Such command will be automatically executed by the operating system. Using this method, cybercriminals can send the operating system component a command that will be processed as getting a new SMS with the specified contents. This fake SMS will be put on the list of received messages. Therefore, the user is likely to consider this message a real one.

Dr.Web anti-virus for Android detects and removes malicious programs that use the PendingIntent vulnerability just after the beginning of the installation process. So Dr.Web anti-virus users are effectively protected from such Trojans.

Technical details

This vulnerability is found in the component of the Android operating system. The component is responsible for creating the user account repository in different Android applications. The addAccount method executed by this component uses PendingIntent, some fields of which are blank. PendingIntent has the same system rights as the "Settings" application.

The malicious program created by cybercriminals can register itself in the system as a user account authenticator (system privileges are not required).

Then the malware can send the "Settings" program a request to create a user account authenticator. Once the "Settings" program receives this request, it automatically activates the addAccount method and sends the application the PendingIntent parameter, which is associated with the method. Since some fields of PendingIntent are blank, the malicious program can fill them with its own contents and then use them. For example, if PendingIntent’s value is an «android.intent.action.MASTER_CLEAR» command, the operating system will perform a hard reset on the mobile device.

See also information about other vulnerabilities