Biz & IT —

New vulnerability can put Android phones into permanent vegetative state

Malformed video files can be used to crash half of all Android phones.

New vulnerability can put Android phones into permanent vegetative state

Researchers have developed an attack that puts more than 50 percent of Android phones into the digital equivalent of a persistent vegetative state in which they're almost completely unresponsive and are unable to perform most functions, including making or receiving calls.

The vulnerability, which resides in the mediaserver service Android uses to index media files, can most easily be exploited by luring a vulnerable phone to a booby-trapped website. Presumably, the phone can be revived by restarting it, but according to a blog post published Wednesday by a researcher from security firm Trend Micro, the bug can also be exploited by malicious apps. In this latter scenario, the malicious app could be designed to automatically start each time the phone is turned on, causing it to crash shortly after each restart.

Trend Micro researcher Wish Wu wrote:

The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).

The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.

The vulnerability affects Android versions 4.3 through the current 5.1.1, accounting for about half of the Android user base. The bug surfaced two days after separate researchers warned that an estimated 950 million Android phones can be hijacked by being sent a simple text message. The so-called Stagefright bug is more serious because it allows attackers to pilfer audio, video, and other personal data from handsets and, in some cases, allows the execution of malicious code. What's more, in many cases, Stagefright attacks require no end-user interaction at all for the vulnerability to be exploited.

Trend Micro privately reported the mediaserver vulnerability to Google in late May. Google engineers have acknowledged the bug but have assigned it a low priority, Trend Micro's Wu said.

Channel Ars Technica