Bad week for Android. Just days after a critical Stagefright vulnerability was revealed in the widely popular mobile platform, another new vulnerability threatens to make most Android devices unresponsive and practically unusable to essential tasks.
Security researchers at Trend Micro have developed an attack technique that could ultimately crash more than 55 percent of Android phones, almost making them completely unresponsive and useless to perform very basic functions, including to make or receive calls.
The dangerous security flaw affects any device running Android 4.3 Jelly Bean and later, including the latest Android 5.1.1 Lollipop, potentially putting hundreds of millions of Android users vulnerable to hackers.
The flaw surfaced two days after Zimperium researchers warned that nearly 950 Million Android phones can be hijacked by sending a simple text message. Dubbed Stagefright, the vulnerability is more serious because it required no end-user interaction at all to be exploited.
How to Exploit the Flaw?
A hacker can exploit the vulnerability in two ways:
- Through a Malicious Android App
- Through a Specially-Crafted Web Site
Most easy way to exploit the flaw is to lure a vulnerable Android phone to a booby-trapped website. Presumably, in this case, the phone can be revived by just restarting it.
However, the vulnerability if exploited by a malicious app can cause a long-term impact on the phone, according to a blog post published Wednesday by a researcher from security firm Trend Micro.
The malicious app can be designed in such a way that every time the phone is turned on, the app automatically start, causing the operating system to crash shortly after each restart.
This makes the device unresponsive, mute and useless, meaning no ringtone, message tone, or notification sounds will be heard. Neither the user can even receive or make calls.
Root Cause of the Vulnerability
The vulnerability actually resides in the mediaserver service used by Android to index media files located on the Android phone.
"[mediaserver] service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension)," Trend Micro researcher Wish Wu wrote. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system)."
Researchers have also developed a proof-of-concept (PoC) malicious app that exploits the flaw. You can watch the given video that shows the exploit in work.
Security researchers reported the vulnerability to Google's security team in late May, but the team failed to patch the issue after classifying it as a low-level vulnerability.