Multiple vulnerabilities with a wide range of effects have been plaguing the Android ecosystem within the past month, and now researchers with Trend Micro have identified a new bug that can be exploited by an attacker to practically take over a device.
Google has addressed the bug, CVE-2015-3842, which can be exploited via a malicious app that does not require any special permissions, Wish Wu, mobile threat response engineer with Trend Micro, wrote in a Monday post.
Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Tuesday email correspondence that a “successful attack could result in code execution with full privileges on the device. That means they can do everything the owner of the device can.”
The vulnerability affects Android versions 2.3 to 5.1.1, Wu wrote. He explained that attacks can be fully controlled, meaning that the malicious app – which could appear legitimate on the device, making it tough for users to identify and delete – can decide when to start or stop an attack.
The bug is similar to some of the other recently disclosed vulnerabilities in that it exists in Android's mediaserver component, Wu wrote. For this issue, more specifically, it exists in the AudioEffect component of the mediaserver program.
“It seems that the mediaserver component hasn't gone through a rigorous security review process,” Budd said. “As a result, coding flaws resulting in exploitable vulnerabilities are being discovered. It's similar to what Microsoft went through in the early 2000s.”
Wu noted that the vulnerability is not being actively exploited.