Researchers at Trend Micro have reported finding a second denial-of-service (DoS) vulnerability in Android’s “mediaserver” component.
According to the security firm, the affected service is present in Android 4.0.1 Jelly Bean through 5.1.1 Lollipop. As of August 3, roughly 95 percent of Android devices were running vulnerable versions of the operating system. Furthermore, experts noted that devices with customized versions of Android that run the same mediaserver are also impacted.
The vulnerability (CVE-2015-3823) is caused by an integer overflow that is triggered when mediaserver processes a malformed MKV video file. The issue causes affected Android devices to enter an endless loop when reading video frames.
Trend Micro says an attacker can exploit the vulnerability by getting users to install an app or by tricking them into visiting a website. In the first scenario, the attacker gets mediaserver to process a specially crafted MKV file via the app, causing the system to slow down until it reboots or until it has no battery left. In this case, the service continues to loop until system resources or the battery are exhausted even if the malicious app is terminated.
In the second scenario, the malicious MKV file is embedded into an HTML page and the exploit is triggered when the user starts playing the video file.
In a worst case scenario, the attacker can program the malicious app to start at boot, which would cause the device to enter an endless reboot loop, researchers said.
“This endless reboot may render Android devices unusable unless the devices are opened in safe mode and the app is removed,” Wish Wu, mobile threat response engineer at Trend Micro, said in a blog post. “Getting rid of the app is quite problematic. It may be difficult to locate the app once downloaded. Attackers may opt to keep it hidden and silent for a long time and only trigger the attack days or months later. Users may believe it is not installed and attribute the reboots to problems in the Android system.”
The security firm says it hasn’t seen any attacks exploiting this vulnerability.
Trend Micro reported the issue on May 19 to the Android security team, which classified it as a “moderate severity” vulnerability two days later.
Google informed Trend Micro of the availability of a fix on July 31. However, due to Android’s fragmented ecosystem and the reliance on device manufacturers and carriers to push security updates, it will take some time until the patch reaches most users. Furthermore, the owners of older devices might never receive the patch.
This is the second Android vulnerability related to the mediaserver component identified by researchers at Trend Micro. Last week, the company announced finding a similar flaw, but Google classified it as “low severity” and it has not been fixed.
Far more serious vulnerabilities related to the handling of video files were discovered by researchers at mobile security firm Zimperium. Experts identified a series of flaws in the Stagefright media library that can be exploited for remote code execution. The security bugs are believed to affect as many as 950 million devices.
What makes these vulnerabilities dangerous is the fact that they can be easily exploited. For example, an attacker can execute arbitrary code on a device simply by sending the targeted user an MMS message with a specially crafted media file.
One of the Stagefright vulnerabilities was reported independently to Google by Trend Micro.
By Eduard Kovacs