Don't want pranksters 'bricking' your Android? Just stop using the internet, duh – Google

Thanks for the top tip, now where's the patch?

Video Trend Micro peeps say they have discovered a security bug that miscreants can exploit to seemingly murder millions of Android smartphones.

A device will appear lifeless and unable to make calls, with a dead screen and no sound output, if an attack is successful, we're told. All a victim has to do is visit a dodgy webpage, or run an app containing a malicious file. Rebooting the supposedly dead smartphone will revive it.

Google's solution is to simply get over it, not browse untrusted websites on your phone, and avoid installing evil applications. A patch to fix the hole is on its way, we're told.

The vulnerability stems from an integer overflow bug in Android's media server service, which can be exploited by a malformed video file in a Matroska container. When Android tries to index the file, it crashes, bringing the rest of the operating system down with it.

"Ransomware is likely to use this vulnerability as a new 'threat' for users: in addition to encrypting data on the device, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom," said Trend's mobile threat response engineer Wish Wu.

As a proof-of-concept, Wu created a seemingly normal application that included the malformed .mkv container. When the user taps the app's icon, the phone is swiftly borked:

Youtube video

In addition to this, Wu set up a website hosting the same file. When the phone is directed to the site – something that's easy enough to do for a reasonably confident social engineer – the phone suffered similar problems.

The flaw affects Android versions 4.3 and above, meaning about half of all 'droid handsets out there are vulnerable. Trend warned Google of the bug in May but went public with it on Wednesday this week.

Google isn't that concerned about the issue, though, or perhaps it's too busy dealing with the Stagefright clusterfuck. The media server vulnerability is being treated as a low priority.

"We want to thank the researcher for their report as it helps strengthen Android's security. While our team is monitoring closely for potential exploitation, we've seen no evidence of actual exploitation," Google told The Register in a statement.

"Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android." ®


Biting the hand that feeds IT © 1998–2017