Android phones running on JellyBean to Lollipop vulnerable to Android Mediaserver Bug

Security researchers from Trend Micro has claimed to find out a major security issue which can render Android devices apparently dead, non-responsive with a lifeless screen. The firm claimed that security flaw exists from Android 4.3 jelly bean to the latest version i.e. Android 5.1.1 Lollipop. If the claims are true than more than half of devices running on Android Operating system are on risk, matter becomes more serious when you get to know that no patch is applied to Android Open Source Project (AOSP) to fix this vulnerability since May 2015. 

The news broke out just after, Google announced a security update to fix Stagefright vulnerability which could have affected as many as 950 million devices. The latest flaw can be exploited in two ways, one through malicious apps and other through evil website specifically created to mislead users and hack the device to render it useless. The app method is more dangerous as it can cause long term effects if its embedded with an MKV file that registers itself to auto-start whenever the device boots would cause the OS to crash every time it is turned on.

Image for illustration purpose only

Vulnerability Description:

The vulnerability lies in the media server service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).

The vulnerability is caused by an integer overflow when the media server service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.

• This will cause the device to become totally silent and non-responsive. This means that:

• No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.

• The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.

Potential threat scenarios: 

As mentioned above, there are two ways that this attack can be exploited: the user can either visit a malicious site or download a malicious app.

There are many common techniques that could be used to lure a user to a malicious site. We’ve discussed in the past how repackaged apps pose a problem for users who may have a hard time differentiating legitimate apps from repackaged ones.

Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new “threat” for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom.

Further research into Android – especially the mediaserver service – may find other vulnerabilities that could have more serious consequences to users, including remote code execution.