Android security flaw can gag your phone
PUBLISHED ONJuly 31, 2015 6:37 AMByJames Lu
Researchers at Trend Micro say they have discovered a new video-related security vulnerability that puts your phone into a completely unresponsive state and unable to make or receive calls and notifications.
Trend Micro says the vulnerability affects all Android smartphones running versions 4.3 up through to the current 5.1.1 - more than half of all Android smartphones.
The vulnerability, which uses a damaged Matroska (MKV) video in an app or website to crash Android's "mediaserver" service, can most easily be exploited by luring a vulnerable phone to a booby-trapped website.
"The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).
"The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."
Fortunately, the fix appears fairly easy, as you can revive your phone simply by turning it off and on again, but according to a blog post on Trend Micro's website, the bug can also be exploited by malicious apps that could be designed to automatically start each time the phone is turned on, causing it to crash shortly after each restart.
According to Trend Micro, it notified Google of this exploit in mid-May, but it was marked "low priority" by Google's engineers.
Visit Hardware Zone for more stories.