Security researchers at Trend Micro have discovered a new vulnerability that they claim is present in Android 4.3 Jelly Bean up to the latest Android 5.1.1 Lollipop, which constitute to almost half of the Android devices out there. The vulnerability, if and when exploited, could make your device silent, unable to make phone calls and completely unusable. This apparently is caused by the way Android handles media files.
The researchers already reported the issues to the Android engineering team back in May but the exploit is yet to be patched. Trend Micro explains that the bug is present in Android’s mediaserver service, which is used to index media files stored on the device. If a device tries to open a malformed MKV file, it causes the service to crash along with the entire operating system in the run to process it, thereby rendering the device unusable and preventing the user from interacting with it.
This will cause the device to become totally silent and non-responsive. This means that:
- No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.
- The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.
The report explains that the vulnerability can be exploited either via a website embedded with a malformed MKV file, or through a malicious app with an MKV file installed on a device that could cause the operating system to crash every time it attempts to turn on. With the latter approach, the malicious apps could be designed in a way so that it runs immediately every time the Android device restarts, therefore causing the operating system to crash upon boot.
As mentioned earlier, Trend Micro had already reported the vulnerability to Google on May 15, which was flagged as a low priority issue by the company and remains un-patched in the Android Open Source Project (AOSP). This bug comes in a few days after another team of security researchers discovered an exploit which could potentially allow malicious individuals to gain access to a device by simply sending a seemingly innocent text message to the targeted number.
Here’s a video demoing how a malicious app can be used to exploit this vulnerability.
(Source: Trend Micro)