Previous Story
Another Android flaw affects nearly all devices
Posted On Aug 18 2015
Comment: Off
Meanwhile, Android is still struggling with Stagefright, another recently revealed vulnerability.
Trend Micro notes that the latest problem follows a rash of three other major vulnerabilities in Android’s Mediaserver component. The flaw, which was originally discovered by Zimperium zLabs security researcher Joshua Drake, reportedly allows hackers to take control of certain features on unpatched Android devices remotely, by injecting malicious code through a multimedia file sent via an MMS (Multimedia Messaging Service), thereby compromising the device. Despite this, and the fact that Google has issued a patch, millions of handset remain vulnerable not only to Stagefright, but also to the more recent AudioEffect exploit.
The flaw, which affects Android versions 2.3 to 5.1.1, was reported to Google in June and a fix for it was published to the Android Open Source Project (AOSP) on August 1, according to the researchers.
The security flaw involves a mediaserver component called AudioEffect.
The danger potentially comes from booby-trapped apps, although nothing bad along these lines has been witnessed so far and there are no known active attacks against this vulnerability, which Google fixed earlier this month.
In addition to downloading mobile security software to protect against such vulnerabilities, Android users can try rebooting their devices in safe mode and uninstalling the malicious apps if they believe they have been affected, Wu added. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines.
Competitors such as Microsoft have also criticized Google for its generally hands-off approach to security updates, which tends to rely upon device manufacturers and network carriers to roll out bug fixes to their customers. As with Stagefright, the researchers have waited for Google to release a patch before announcing their discovery.
Android security and the notoriously haphazard delivery of updates from the highly fragmented Android ecosystem has been under the spotlight ever since the Stagefright bugs were disclosed.
