Another High Risk Vulnerability Affects Android – From Gingerbread to Lollipop
Even the “another day, another Android security flaw” fails to express the disdain that users now have toward the long-ridiculed security system of Android.
A new Android vulnerability (CVE-2015-3842) has now been identified that is caused by the operating system’s mediaserver component. Yep, again! A heap overflow in mediaserver’s Audio Policy Server affects almost all the Android versions from 2.3 Gingerbread to the very latest 5.1.1 Lollipop and enables a local application to execute arbitrary code with the privileges of the mediaserver process. Discovered by security researchers at Trend Micro, this high severity Android vulnerability could be remotely leveraged to install malware onto a target device using specially crafted messages.
We have seen several vulnerabilities identified in the mediaserver component of Android. This latest vulnerability involves a component called AudioEffect of mediaserver. Wish Wu of Trend Micro explained that the security bug can be exploited by getting the victim to install an app that doesn’t require any permissions. He further notes how victim’s privacy could be at serious risk due to the involvement of mediaserver component that deals with everything from images to videos.
This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk.
Researchers developed a proof-of-concept malicious app to demonstrate the capabilities of this high severity flaw. They tested this app on a Nexus 6 powered by Android 5.1.1 LMY47Z. The malicious app, once installed, crashed the mediaserver component. If the app fails to crash the component, it will stop and run again.
Thankfully, the flaw has already been patched by Google. Trend Micro had reported the vulnerability on June 19 under Google’s new Android Security Rewards program. Wu also submitted the patch helping Google include it in its August security update. Security researchers said they aren’t aware of any active attacks exploiting this vulnerability.