New Android bug can put devices into a coma

In the wake of the explosive discovery of the Android Stagefright vulnerability, Trend Micro researchers have revealed the existence of another, similar one that can make Android devices unresponsive, i.e. “silent, unable to make calls, with a lifeless screen”.

“The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” they shared.

“This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.”

The vulnerability affects Android 4.3 (Jelly Bean), 4.4 (Kit Kat) and 5.1 (Lollipop), i.e. over 50 percent of all Android devices currently in use.

It can be triggered either via a malicious app installed on the device (as demonstrated in this video), or a specially-crafted, malicious web site. Either way, user interaction is required (not that it’s very difficult to make users visit a particular site or download an app).

“Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new ‘threat’ for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom,” the researchers noted.

Google has been notified of the flaw, and is set to fix it in an upcoming version of Android. They don’t consider it as serious as the Stagefright bug.

“While our team is monitoring closely for potential exploitation, we’ve seen no evidence of actual exploitation,” Google told Iain Thomson.

“Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue.”

“Further research into Android – especially the mediaserver service – may find other vulnerabilities that could have more serious consequences to users, including remote code execution,” the researchers pointed out.