Categories: MobilitySecurity

Google Patches Another Stagefright-Style Android Flaw

Security researchers said they have uncovered another “high severity” security flaw in Android, affecting the same component as the widely publicised Stagefright bug and affecting every version of the mobile operating system since 2.3, released five years ago.

Google has added a patch for the flaw into Android’s source code, but such patches may take weeks or months to reach users, if they arrive at all, due to the fact that updates depend upon the policies of individual handset makers and mobile network operators.

Arbitrary code execution

The bug affects Android’s mediaserver component, which handles media files, the same component in which the Stagefright library is found, according to Trend Micro.

The new bug affects the AudioEffect library, part of mediaserver, and could be exploited via a malicious application to execute arbitrary code with the same privileges as mediaserver, Trend said.

“Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk,” wrote Trend engineer Wish Wu in an advisory.

Unlike the Stagefright flaws, which could be exploited simply by sending a video message, even if the message was not opened, the AudioEffect bug requires the attacker to trick the user into installing a malicious application, Wu said.

Difficult to detect

However, this app does not need to ask the user to grant any permissions, and can launch its attack weeks or months later, making it difficult to spot, Wu said.

“Real-world attacks won’t involve apps that are easy to detect,” Wu wrote.

Malware is a growing problem on Android, with nearly 5,000 new malware files produced each day targeting the platform, according to recent figures from G Data Security Labs. Security firm Avast recently estimated that 50 million Android devices are infected with malware.

Trend said users can protect themselves by installing security software, updating their devices with Google’s patch, or lauching their device in safe mode and uninstalling the malicious app.

The patch is, however, only available via particular Android handset makers, and the uninstallation process requires advanced skills, Trend acknowledged.

“This method might prove difficult, especially for those unaccustomed to tinkering with their devices,” Wu wrote.

Trend said there are so far no known attacks targeting the vulnerability.

‘High severity’

Google assigned the bug the reference CVE-2015-3842 and have it a “high severity” rating, Trend said. Its patch was added to the Android source code on 1 August, according to Trend, and is likely to be included in the monthly security updates Google sends to its Nexus range of devices in September.

The company committed to the regular updates due to the attention given to the Stagefright bugs, which affect nearly 1 billion devices. Samsung, LG and others have said they will work with network operators to deliver regular updates.

Google did not immediately respond to a request for comment.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago