New Stagefright-esque Android Flaw Can Kill 50% of Devices

Hot on the heels of Stagefright – the flaw that allows Android phones to be compromised via MMS message –Trend Micro researchers have discovered another vulnerability related to media file processing in the platform.

The new flaw affects approximately 50% of Android devices, and it can render a phone apparently dead: silent, unable to make calls, and with a lifeless screen.

“This reinforces that these are just the beginning of vulnerabilities via media files, and Trend Micro researchers expect more are inevitably coming soon,” the firm said.

Like Stagefright, this vulnerability is triggered when Android handles media files. But in this case, the mediaserver service, which is used by Android to index media files that are located on the Android device, cannot correctly process a malformed video file, so, when presented with one, the service may crash (and with it, the rest of the operating system).

“No ring tone, text tone, or notification sounds can be heard,” Trend Micro researchers said. “The user will have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other. The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.”

To exploit the issue, attackers need only to install a malicious app on the device, or lure users to a specially-crafted website. The first technique can cause long-term effects to the device: an app with an embedded file that registers itself to auto-start whenever the device boots would cause the OS to crash every time it is turned on.

“Whatever means is used to lure in users, the likely payload is the same,” Trend Micro said. “Ransomware is likely to use this vulnerability as a new ‘threat’ for users: in addition to [everything] on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom.”

The vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team yet, though Trend Micro reported it to Google in May.

What’s Hot on Infosecurity Magazine?