Days following the announcement of a security flaw in Android’s media playback system Stagefright, a new security vulnerability has been discovered.
According to security firm, Trend Micro, the new security threat affects all devices running Android 4.3 to the present version, 5.1.1. That’s around 57% of all Android devices in use today— or more than 900 million devices.
Like Stagefright, the new bug developed from the way that Android handles video. The mediaserver service used by Android to index media files on the device can crash if it’s exposed to a “malformed” video using the Matroska containter (usually a .mkv file). Once this happens, the Android device will become non-responsive, meaning that the user will not be able to hear a ringtone or any notification sound, accept calls, and if the phone is locked, they will not be able to unlock it.
A hacker could build a website to do this to your phone, with the .mkv file embedded into an HTML page but that could be fixed by restarting the device. However, if an attacker creates an app with the embedded .mkv that autostarts at boot, then the device will crash immediately after it’s turned on.
Unlike the Stagefright bug, this vulnerability does not allow for remote code execution, making it a bit less dangerous.
At the time of publication, Google has issued the following statement:
“While our team is monitoring closely for potential exploitation, we’ve seen no evidence of actual exploitation.
Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android.”