30 July 2015

Android vulnerability renders phones lifeless

Trend Micro has discovered a vulnerability in Android that can render a phone apparently dead. The handset does not ring, make notification sounds, and is unable to make calls, with a lifeless screen. If the phone is locked, it cannot be unlocked.

The vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop), the company said, pointing out that these versions account for more than half of Android devices in use today. "No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May," the company said in a statement.

The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash, and bring the rest of the operating system down with it.

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted website. The first technique can cause long-term effects to the device – an app with an embedded MKV file that registers itself to auto-start whenever the device boots would cause the OS to crash every time it is turned on, for instance. 

For now, Trend Micro recommends users who have been affected to restart their devices in safe mode.


More information is on Trend Micro’s blog post.
Mobile security software such as Trend Micro’s Mobile Security for Android Smartphones and Tablets can help protect data and devices.