Trend Micro discovered a vulnerability in Android that can render a phone apparently
dead – silent, unable to make calls, with a lifeless screen. This vulnerability
is present from Android 4.3 (Jelly Bean) up to the current version, Android
5.1.1 (Lollipop). Combined, these versions account for more than half of
Android devices in use today. No patch has been issued in the Android Open
Source Project (AOSP) code by the Android Engineering Team to fix this
vulnerability since May 2015.
This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.
In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.
The vulnerability lies in the media server service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).
The vulnerability is caused by an integer overflow when the media server service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data. This will cause the device to become totally silent and non-responsive. This means that: No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other. Also, the UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.
Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new “threat” for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom. Further research into Android – especially the media server service – may find other vulnerabilities that could have more serious consequences to users, including remote code execution.
This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.
In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.
The vulnerability lies in the media server service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).
The vulnerability is caused by an integer overflow when the media server service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data. This will cause the device to become totally silent and non-responsive. This means that: No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other. Also, the UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.
Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new “threat” for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom. Further research into Android – especially the media server service – may find other vulnerabilities that could have more serious consequences to users, including remote code execution.
Thanks for sharing, nice post! Post really provice useful information!
ReplyDeleteAn Thái Sơn chia sẻ trẻ sơ sinh nằm nôi điện có tốt không hay võng điện có tốt không và giải đáp cục điện đưa võng giá bao nhiêu cũng như địa chỉ bán máy đưa võng ở đâu uy tín.