Vulnerability affects around 56% of all Android phones

Jul 30, 2015 09:27 GMT  ·  By
Android devices vulnerable to another mediaserver service exploitation
4 photos
   Android devices vulnerable to another mediaserver service exploitation

Days after the Stagefright bug was discovered by cybersecurity firm Zimperium, Trend Micro now revealed a new problem with the Android mediaserver which can cause a phone to constantly crash and become unresponsive to user commands.

While Stagefright has a broader scope affecting 95% percent of all Android devices, starting with version 2.2 and going up to 5.1, this latter vulnerability was discovered to work only with Android versions 4.3 and above, meaning more than half of all devices (56.8% to be more exact).

According to Trend Micro researchers, the yet unnamed vulnerability (the cool & ominous name is still in the works) can be leveraged in two ways by an attacker: using a malicious app installed and running on the user's device, or by accessing a URL where a malformed media file is hosted (and subsequentially loaded).

Using a local malicious app to constantly crash the OS

The first method was demonstrated by Trend Micro researchers using a malformed MKV file, which the mediaserver service will try to index automatically.

The problem resides in how this service reads data from a Matroska media container, which is used with the .mkv extension.

"The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data," says the Trend Micro team.

This causes the app to restart in a continuous loop, making the device unresponsive, or even crashing the OS in some cases.

In their tests, researchers have found out that no ring or text tones will be heard if the vulnerability is leveraged, no calls can be accepted, the Android UI may become totally unresponsive, and if the phone is locked, the user won't be able to unlock it anymore.

The malicious  MKV file can also be hosted online

While installing malicious apps presents a lower threat level because most users tend to use authenticated and original sources for their applications, the same cannot be said of the second infection scenario.

Creating a simple Web page that loads a malicious MKV file using an HTML5 video tag made Android devices crash the same way as they did when exploited using local apps.

This poses a more serious threat since it's easier to get a user to access a Web page than to install a potential unsafe app, which makes this vulnerability a new favorite for upcoming ransomware campaigns.

Vulnerability proof of concept (4 Images)

Android devices vulnerable to another mediaserver service exploitation
The mediaserver service continuously restarting after the exploit is triggeredHTML code of test page
+1more