Two weeks ago, we reported about a critical mediaserver vulnerability that threatened to crash more than 55 percent of Android devices, making them unresponsive and practically unusable to perform most essential tasks.
Now, security researchers at Trend Micro have uncovered another flaw in the Android's mediaserver component that could be remotely exploited to install malware onto a target device by sending a specially crafted multimedia message.
The vulnerability (CVE-2015-3842) affects almost all the versions of Android devices from Android 2.3 Gingerbread to Android 5.1.1 Lollipop, potentially putting hundreds of Millions of Android devices open to hackers.
Since Google has patched this issue, but hopefully the patch issued by Google this time isn't incomplete like its patch for the Stagefright vulnerability that affects 950 Million Android devices worldwide.
How the Vulnerability Works?
The security flaw involves a mediaserver component called AudioEffect and uses an unchecked variable that comes from the client, usually an app.
According to a security researcher from Trend Micro, the vulnerability can be exploited by malicious apps.
All a hacker need to do is to convince the victim to install an app that does not ask for "any required permissions, giving them a false sense of security."
"The checking of the buffer sizes of pReplyData and pCmdData is not correct," researchers wrote in a blog post published Monday.
"As the mediaserver component uses these buffers… the mediaserver component assumes the buffer sizes of pReplyData and pCmdData are bigger than this size. We can make the buffer size of pReplyData, which is client-supplied, smaller than the size read from the buffer pCmdData. This causes a heap overflow."
Proof-of-Concept Attack
The researchers have also developed a proof-of-concept (PoC) malicious app that exploits the flaw. They tested their app on a Nexus 6 handset running Android 5.1.1 Build LMY47Z.
Once installed on the device, the app crashes the Android's mediaserver component by overflowing the buffer pReplyData in the heap. However, if the mediaserver component does not crash, the POC app will be closed and run again.
When will I expect a Fix?
So far, there isn't any indication of active attacks against this vulnerability, but researchers said that the flaw could be exploited to provide full control of the target device.
Google has fixed the issue, but given the shaky history of device manufacturers and carriers rolling out patches, it is not known how long the companies will take to update the vulnerable devices.