New Android vuln renders phones 'dead'

Vulnerability present in Android 4.3 Jelly Bean and above, Trend Micro says

Tags: Google AndroidGoogle IncorporatedTrend Micro Incorporated
  • E-Mail
New Android vuln renders phones 'dead' The attack can be exploited either through a malicious app installed on the device, or through a specifically created website
By  Tom Paye Published  August 20, 2015

Trend Micro has discovered a new Android vulnerability that can render a phone silent, unable to make calls, with a lifeless screen.

According to the security company, phones running Android 4.3 Jelly Bean up to the current version are vulnerable to the attack. Trend Micro said that, combined, these versions make up more than half of Android devices in use today, and that no patch had been issued to the Android Open Source Project (AOSP) code by the Android Engineering Team.

The attack can be exploited in two way - either through a malicious app installed on the device, or through a specifically created website.

"The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on," the vendor wrote in a blog post.

"In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs."

The vulnerability lies in the ‘mediaserver' service, which is used by Android to index media files that are located on the Android device. Trend Micro said that this service cannot correctly process a malformed video using the Matroska container, which usually includes the .mkv extension. When the process opens a malformed MKV file, the service may crash, and with it, the rest of the operating system.

"The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data," Trend Micro said.

The vendor said that, upon execution of the payload, the device will have no ring tone, text tone, or notification sounds, and that the user will have no idea of an incoming call or message, and cannot even accept a call. Neither party would hear each other, Trend Micro said.

The vendor added that the UI would become very slow to respond, or be completely non-responsive. If the phone is locked, it cannot be unlocked.

The Android operating system has come under fire over the summer months, with vulnerabilities routinely being discovered. In July, a major vulnerability was discovered that could allow hackers to take over devices simply by sending a text message - that vulnerability was present on all versions of the mobile OS.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code