Another Android Security Flaw

Friday, July 31, 2015 @ 04:07 PM gHale

This has not been a good few weeks for security on Android.

Because of a vulnerability in a multimedia processing component, a malicious application or Web page could crash Android devices, researchers said.

Android Phones Open to Attack
Android Devices Vulnerable to Memory Hole
Android Factory Reset Not 100%
Android Hole Allows Fake Downloads

This latest vulnerability is in Android’s mediaserver component and how the service handles files that use the Matroska video container (MKV), said researchers at Trend Micro in a blog post.

When the vulnerability ends up exploited, the device becomes silent and unresponsive. There are no ring tones or notification sounds and calls cannot end up initiated or accepted, the researchers said. In addition, the user interface can become sluggish or completely unusable and, if the user locked the phone, he or she cannot unlock it.

The flaw can end up exploited in two ways: Through a malicious application that contains a malformed MKV file, or by browsing to a Web page with a specifically crafted MKV video embedded in it.

“The first technique can cause long-term effects to the device: An app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on,” the Trend Micro researchers said.

The effect of the Web-based exploit is not as persistent and the device can end up rebooted to restore normal operation. However, the Web-based exploit works even if Chrome for Android does not preload or autoplay video files, the researchers said.

Trend Micro reported to flaw in May, it said, but Google assigned it a low priority.

It’s not clear if Google created a patch for this issue yet or if it shared it with device manufacturers. The company did not immediately respond to a request for comment.

No patch has released yet to the Android Open Source Project (AOSP), the Trend Micro researchers said.