Soon after Google announced a security update for the Stagefright vulnerability
(a critical security bug) for its Nexus devices, a new bug has been reported that security researchers claim leaves Android device "dead."
Trend Micro's Wish Wu, a mobile threat response engineer, has detailed the newly discovered vulnerability in the Android mobile operating system. According to the report, the vulnerability renders the Android device unresponsive - "silent, unable to make calls, with a lifeless screen."
The vulnerability is said to be present from Android 4.3 Jelly Bean to the current version, Android 5.1.1 Lollipop. It's worth noting that majority of Android devices, almost 90 percent, are currently running these versions, according to the Google's Android distribution numbers.
Wu explains the process, "The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system)."
Further explaining, Trend Micro notes that the vulnerability can be exploited in two ways either via an installed malicious app on the device or through a specially-crafted website.
"The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on," notes the report.
Some of the implication of the vulnerability is said to be unresponsive UI and even claims that if the phone is locked, it cannot be unlocked. Trend Micro speculates some of the potential threat scenarios where it claims attackers can use it for ransomware. However, it's worth noting that once the device is unresponsive; how the attackers will ask for ransom from affected Android users.
Trend Micro notes that the vulnerability was privately reported to Google in May. The company acknowledged the report however marked the issue as a low priority vulnerability. A Google spokesperson told Engadget that the "future version of Android" would patch the vulnerability while stressed that there has been "no evidence of actual exploitation."