First it was Apple, the Adobe and now it’s Android. Researchers have developed an attack that would put more than 50 percent of Android phones into what Ars Technica is stating a “digital equivalent of a persistent vegetative state.” The new vulnerability could make the device unresponsive and unable to perform many functions and in some cases making and receiving calls.
According to Trend Micro, that originally broke the story, the vulnerability lies in the mediaserver service that Android uses to index media files. According to the sites blog post on Wednesday states that it can be easily exploited by going to a booby-trapped sites or even a malicious app, which is known to heavily populate Google Play.
Researcher Wish Wu, from Trend Micro, wrote:
The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).
The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.
Now the vulnerability lies in Android versions 4.3 through the current 5.1.1, which is estimated about half the Android base is affected. Now, this is different from the bug that was announced earlier this week that is expected to affect 950 million Android phones. Stagefright is claimed to be a bigger deal as it allows attackers to pilfer audio, video and other personal data from handsets, could even execute malicious code.
The latest vulnerability was reported to Google back in May but it would seem Google did not consider it a high priority. In fact, they placed it on a low priority. This is not surprising given that Google has never been one to take vulnerabilities all too serious. If you wish to dispute that fact, all you need to do is go to the Google Play store to see what I mean.