Security Experts:

Android Vulnerability Allows Attackers to Crash Smartphones

A vulnerability in the Android mobile operating system can be exploited to cause devices to become inoperable, said researchers from Trend Micro.

According to experts, the vulnerability affects versions of Android starting with 4.3 Jelly Bean and up to 5.1.1 Lollipop. Roughly half of Android devices are running impacted version of the operating system.

The issue is an integer overflow bug in Android’s “mediaserver” service. The vulnerability is triggered when the service processes a malformed video file using the Matroska container.

“The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data,” Trend Micro mobile threat response engineer Wish Wu explained in a blog post.

An attacker can leverage the flaw to cause a smartphone to become silent and inoperable. This includes no ringtone and notification sounds, and unresponsive user interface.

Wu says an attacker can exploit the denial-of-service (DoS) vulnerability remotely by getting the victim to install a malicious app or visit a specially crafted website. Exploiting the flaw through a malicious app that contains an embedded MKV file allows the attacker to make the smartphone unresponsive for an extended period of time by ensuring that the application is launched whenever the device boots.

A proof-of-concept (PoC) application developed by Trend Micro causes the mediaserver service to continuously restart once the exploit is triggered. The attack has also been demonstrated with a web-based PoC that causes the phone to crash when it’s accessed through the Chrome web browser.

“Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new ‘threat’ for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom,” Wu explained.

The researcher believes that further analysis of the mediaserver service might reveal more serious vulnerabilities, including flaws that can be exploited for remote code execution.

Google has confirmed that the vulnerability exists, but the search giant has yet to release a patch. The company has classified the issue as a low priority flaw.

Earlier this week, researchers disclosed the existence of a series of critical Android vulnerabilities. The flaws exist in the Stagefright media playback library and they affect up to 950 million devices.

While in both cases the vulnerabilities can be exploited via malicious media files, the Stagefright vulnerabilities are far more serious because they allow remote code execution, and some of them can be exploited simply by sending a malicious MMS message to the victim.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.