Another day, another Android vulnerability. Just days after researchers disclosed an MMS-based Android vulnerability that potentially puts 950 million Android devices at risk, a different group of researchers have come forward with yet another Android-based security exploit.
The latest Android vulnerability affects more than half of all Android devices in circulation today and has the potential to render handsets completely inert, which is to say infected phones cannot make calls or receive any other type of notification. What’s more, the screen itself may become lifeless, effectively turning Android phones into expensive screen savers.
The exploit, discovered by researchers at Trend Micro, can be enacted either via a malicious app or via a “specially-crafted website.” Devices vulnerable to the attack include handsets running Android 4.3 (Jelly Bean) or above.
As for how the exploit works, well, it’s time to get technical. The researchers describe the basis for the vulnerability as follows:
The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).
The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.
To highlight how the exploit works, researchers developed a proof of concept mobile app and website to better demonstrate what happens when a device becomes infected.
A video demonstration of the process can be seen below.
While users can of course steer clear of questionable apps, avoiding malicious websites can be a bit more challenging given the lengths some hackers will go to lure or trick users onto an ostensibly safe website.
“Whatever means is used to lure in users, the likely payload is the same,” the researchers write. “Ransomware is likely to use this vulnerability as a new “threat” for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom.”
The researchers further note that they reported the aforementioned vulnerability to Google in mid-May. A few days later Google acknowledged the report and categorized it as a “low priority.”