Majority of Android devices vulnerable to denial-of-service bug
The vulnerability exists in the mediaserver service and affects Android 4.3 to Android 5.1.1.
Hot on the heels of multiple critical remote code execution vulnerabilities being identified in Android's Stagefright code, researchers with Trend Micro have identified an Android denial-of-service bug that can be exploited to make devices unresponsive and practically unusable.
Wish Wu, mobile threat response engineer with Trend Micro, explained the issue in a Wednesday blog post.
Wu wrote that successful exploitation of the vulnerability will make it so a device has no ringtone, text tones, or notification sounds. Additionally, there will be no indication of incoming calls, no way to accept calls, and neither caller will hear the other. Furthermore, locked devices cannot be unlocked, and the user interface could become slow and unresponsive.
“This is a local denial-of-service vulnerability, no data theft or control over the phone,” Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Wednesday email correspondence. “Attackers would target this in situations where they want to leverage denying access to an Android device, like in a ransomware situation where you extort access.”
The vulnerability – which exists in the mediaserver service – affects Android 4.3 to Android 5.1.1, the current version, Wu wrote, adding that more than 50 percent of Android devices in use today are affected.
The vulnerability can be exploited either by a malicious app installed on the affected device, or through a specially crafted website. Wu explained that installing a malicious app can be particularly damaging if it registers itself to auto-start whenever the device boots.
“In the browsing scenario, the phone can be reset and the problem solved,” Budd said. “For a malicious app, the best solution would be to try and remove the malicious app and, if that's not possible, do a factory reset to remove it.”
Wu wrote that Trend Micro reported the bug to Google in May, but that a patch was not released. A Google spokesperson told SCMagazine.com in a Wednesday email correspondence that a fix will be provided in the future.
“While our team is monitoring closely for potential exploitation, we've seen no evidence of actual exploitation,” the spokesperson said. “Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android.”