Categories: MobilitySecurity

Google Patches Another Stagefright-Style Android Flaw

Security researchers said they have uncovered another “high severity” security flaw in Android, affecting the same component as the widely publicised Stagefright bug and affecting every version of the mobile operating system since 2.3, released five years ago.

Google has added a patch for the flaw into Android’s source code, but such patches may take weeks or months to reach users, if they arrive at all, due to the fact that updates depend upon the policies of individual handset makers and mobile network operators.

Arbitrary code execution

The bug affects Android’s mediaserver component, which handles media files, the same component in which the Stagefright library is found, according to Trend Micro.

The new bug affects the AudioEffect library, part of mediaserver, and could be exploited via a malicious application to execute arbitrary code with the same privileges as mediaserver, Trend said.

“Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk,” wrote Trend engineer Wish Wu in an advisory.

Unlike the Stagefright flaws, which could be exploited simply by sending a video message, even if the message was not opened, the AudioEffect bug requires the attacker to trick the user into installing a malicious application, Wu said.

Difficult to detect

However, this app does not need to ask the user to grant any permissions, and can launch its attack weeks or months later, making it difficult to spot, Wu said.

“Real-world attacks won’t involve apps that are easy to detect,” Wu wrote.

Malware is a growing problem on Android, with nearly 5,000 new malware files produced each day targeting the platform, according to recent figures from G Data Security Labs. Security firm Avast recently estimated that 50 million Android devices are infected with malware.

Trend said users can protect themselves by installing security software, updating their devices with Google’s patch, or lauching their device in safe mode and uninstalling the malicious app.

The patch is, however, only available via particular Android handset makers, and the uninstallation process requires advanced skills, Trend acknowledged.

“This method might prove difficult, especially for those unaccustomed to tinkering with their devices,” Wu wrote.

Trend said there are so far no known attacks targeting the vulnerability.

‘High severity’

Google assigned the bug the reference CVE-2015-3842 and have it a “high severity” rating, Trend said. Its patch was added to the Android source code on 1 August, according to Trend, and is likely to be included in the monthly security updates Google sends to its Nexus range of devices in September.

The company committed to the regular updates due to the attention given to the Stagefright bugs, which affect nearly 1 billion devices. Samsung, LG and others have said they will work with network operators to deliver regular updates.

Google did not immediately respond to a request for comment.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago