A number of weaknesses in the Android operating system have been revealed of late, and the latest effectively locks the user out of their device.
Hackers recently revealed the critical Stagefright weakness, and now security blog Trend Micro has demonstrated another problem which uses a malformed MKV media file to make the device unresponsive and silent. For the weakness to be exploited, users will have to install an app laced with malware, or visit a suspicious website, writes JC Torres for SlashGear.
Malicious file crashes Android mediaserver
Hackers gain access to restricted parts of the system by overflowing data buffers beyond their secure limits. This particular hack triggers the overflow when mediaserver scans a malicious MKV video file that it cannot handle. As a result the server crashes, bringing the whole system down.
Consequently no notification or sound can be heard; the device is mute. Secondly the system can be slowed to such an extent that it becomes unresponsive, which is a huge problem if the device is locked at the time because there would then be no way of unlocking it.
User action is required to activate the flaw. A malicious file can be downloaded from a malicious website which autoplays a video file, or downloaded via an app. Hackers could program the malicious app to autostart, which would make the phone crash when it boots.
Google seemingly content to leave Android weakness open
Although hackers rely on user error to exploit the weakness, multiple studies have shown that it unfortunately it is not difficult to make users do so. According to Trend Micro, it reported the bug to Google in May, but the company has not released a patch.
Worryingly it appears that the flaw is a low priority for Google. That fact, as well as the time it takes for a patch to get from Google to OEM to users, means that the flaw will almost certainly be open to hackers for the foreseeable future.
Despite growing awareness of the dangers of downloading malicious files and visiting untrustworthy websites, hackers are often able to profit from our natural human curiosity. The continued success of phishing scams, even at corporations and public bodies where employees receive cybersecurity training, shows that curiosity can sometimes trump common sense.