avast! Mobile Security Android application version 2.0.3587, and possibly earlier versions, contains a denial-of-service vulnerability.
avast! Mobile Security (version 2.0.3587) crashes if an Intent is sent to com.avast.android.mobilesecurity.app.scanner.DeleteFileActivity with no arguments. Upon receiving the malformed intent the application will crash with the following message.
“Unfortunately, avast! Mobile Security has stopped.”
The logcat log contains a message confirming that the application has crashed.
“I/ActivityManager( 175): Process com.avast.android.mobilesecurity (pid 6596) has died.”
This results in a malicious application being able to disable the avast! Mobile Security software.
A malicious application installed on the phone may be able to disable the avast! Mobile Security software.
Apply an Update
Upgrade to avast! Mobile Security version 2.0.4400 or later to address this vulnerability.
Vendor| Status| Date Notified| Date Updated
Avast! Antivirus Software| | 22 Mar 2013| 16 Apr 2013
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | 3.8 | AV:L/AC:H/Au:S/C:N/I:N/A:C
Temporal | 3.0 | E:POC/RL:OF/RC:C
Environmental | 2.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND
Thanks to Kurt Traver for reporting this vulnerability.
This document was written by Jared Allar.