Silent Attack : Mediaserver vulnerability in Android smartphones running on Jelly Bean to Lollipop renders them lifeless (Updated)The Silent AttackProof Of Concept
The Trend MicroLabs website says that this vulnerability is present in all Android smartphones and tablets from version Android 4.3 Jelly Bean to Android 5.1.1 (Lollipop). Trend has not clarified whether the the current Android M version is susceptible to the attack. The versions Android 4.3 to Android 5.1.1 (Jelly Bean to Lollipop) are used in almost half of the Android smartphones in circulation which means that almost 500 million Android smartphones are vulnerable to this vulnerability.
The Silent Attack
This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted website hosting the PoC code. The first technique can cause long-term effects to the Android device because if the victim installs an app with an embedded MKV file and if such an App registers itself to auto-start whenever the Android smartphone is booted, the exploit will be triggered crashing the device. In the second technique, the exploit is triggered when the Android smartphone owner visits a malformed website hosting the code or the device is made to visit such a website. Trend Micro researchers say that the vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. Once the attacker send a malformed video file to Android device, the mediaserver service cant process this video using the Matroska container which is used by files with .mkv extension. Because of its inability to the process the malformed MKV file, the service may crash rendering the device to go lifeless. The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data. The source code below – found in the frameworks/av/media/libstagefright/matroska/MatroskaExtractor.cpp file – shows the vulnerability in detail:
Proof Of Concept
The Proof of Concept (PoC) app is given by Trend Micro and reproduced below. It includes a malformed MKV file (res/raw/crash.mkv) to demonstrate how this attack functions. Once the app is started, the mediaserver service will keep crashing.
Figure 1. The mediaserver service continuously restarting after the exploit is triggered This will cause the device to become totally silent and non-responsive. This means that:
No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other. The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.
In many ways this vulnerability is similar to the Stagefright attack we reported yesterday. The Stagefright attack is also triggered due to the specific way in which Android OS ecosystem handles the media files. The only difference is that Stagefright attack vulnerability effects nearly all Android smartphones but the Silent attack vulnerability affects only versions from Jelly Bean to Lollipop and how both vulnerabilities handle the media files. Trend MicroLabs says they informed Google (Android Engineering Team) about the vulnerability in May 2015 but as of now no patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability. Techworm reached out to Google to comment about the vulnerability and the Google spokesperson told us that in a emailed reply, Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android.”