CVE-2017-5217

Name of the Vulnerable Software and Affected Versions Samsung Android devices with KK(4.4), L(5.0/5.1), and M(6.0) software

Description A zero-permission Android application can crash the system server process on certain Samsung Android devices. The application creates an active install session for an embedded app, which writes an APK file to the /data/app directory. The APK file has a large but valid AndroidManifest.xml file, containing a large string value for a permission-tree name. When the system server tries to parse the APK file, it crashes due to memory constraints, causing a soft reboot. This process repeats as parsing APKs is part of the normal boot process.

Recommendations For Samsung Android devices with KK(4.4), L(5.0/5.1), and M(6.0) software, consider disabling the com.android.server.pm.PackagePrefetcher class as a temporary workaround to prevent the system server crash. Restrict access to the /data/app directory to minimize the risk of exploitation. Avoid installing zero-permission apps that may contain embedded APK files with large AndroidManifest.xml files. At the moment, there is no information about a newer version that contains a fix for this issue.