Hot off the heels of maliciously crafted text messages allowing a bad guy to pwn your Android phone comes this new vulnerability. According to Trend Micro, it’s a maliciously crafted media file that is the attack vector:
We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.
This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.
Lovely. One other thing to consider is that like the other vulnerability that I linked to, it may take a very long time to get this fixed, assuming that you get it fixed at all. You can blame the fact that the responsibility for Android OS is so fragmented for that.
Let’s see how long it takes before exploits show up in the wild.
Like this:
Like Loading...
Related
This entry was posted on July 29, 2015 at 2:00 pm and is filed under Commentary with tags Android. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Maliciously Crafted Media File Can Crash Android Phones
Hot off the heels of maliciously crafted text messages allowing a bad guy to pwn your Android phone comes this new vulnerability. According to Trend Micro, it’s a maliciously crafted media file that is the attack vector:
We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.
This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.
Lovely. One other thing to consider is that like the other vulnerability that I linked to, it may take a very long time to get this fixed, assuming that you get it fixed at all. You can blame the fact that the responsibility for Android OS is so fragmented for that.
Let’s see how long it takes before exploits show up in the wild.
Share this:
Like this:
Related
This entry was posted on July 29, 2015 at 2:00 pm and is filed under Commentary with tags Android. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.