Days after a security flaw in Android’s media playback system Stagefright was publicly revealed, threatening nearly a billion Android devices, another wide-reaching security flaw could be used to make a victim’s Android device completely unresponsive.
According to security firm Trend Micro, which publicly disclosed info about the vulnerability Wednesday, the new security flaw affects all devices running Android 4.3 to the present version, 5.1.1. By Google’s count, that’s around 57 percent of all Android devices in use today — or more than 900 million devices.
Just like the Stagefright bug, the new security flaw stems from the way Android handles video. The mediaserver service, used by Android to index media files on the device, can be caused to crash if it encounters a “malformed” video using the Matroska container (usually a .mkv file). Once that happens, the Android device will become “totally silent and non-responsive,” according to Trend Micro — you won’t be able to hear a ring tone or any notification sounds or accept a call; the device’s UI will become very slow, and if the phone is locked, you won’t be able to unlock it.
A malicious hacker could set up a website to do this to your phone, with the .mkv file embedded into an HTML page, but that would likely be fixable by restarting the device. However, another type of attack is possible: If an attacker creates an app with an embedded .mkv file that autostarts at boot, the device will simply crash immediately after it’s turned on.
This particular vulnerability does not allow for remote code execution, making it less dangerous than the Stagefright bug. However, Trend Micro suspects the mediaserver service could contain more, previously undiscovered bugs.
Trend Micro reported the vulnerability to Google, which, according to the security company, labeled it as a “low priority” vulnerability. We’ve contacted Google regarding the new security flaw and will update the article when we hear from them.