Security firm Trend Micro has found a new vulnerability in Android's mediaserver component, which is suspected to have stemmed from a built-in feature known as AudioEffect.
The company warns that hundreds of thousands of Android devices could be at risk since the discovery of the security bug, named CVE-2015-3842, is said to affect devices that run Android versions starting from 2.3 Jelly Bean up to 5.1.1 Lollipop. The flaw, warns Trend Micro, can allow an attacker to run his own code on a vulnerable device.
"With this new vulnerability, an attacker would be able to run their code with the same permissions that the mediaserver program already has as part of its normal routines," said Wish Wu, Mobile Threat Response Engineer at Trend Micro. "Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the media server component are also affected."
The issue is the latest from a series of major vulnerabilities that have involved the mediaserver component of Android devices. Other vulnerabilities that have been discovered include CVE-2015-3823, which causes the devices to be trapped in endless reboots, ANDROID-21296336, which renders devices silent or lifeless, and CVE-2015-3824, otherwise known as Stagefright, which allows an attacker to install malware by a simple multimedia message.
"This vulnerability, now known as Stagefright, has gained a lot of attention for the potential attacks it can cause," said Wu in a blog post. "Stagefright makes it possible, for example, for an attacker to install a spyware app in a target's phone without their knowledge just by sending an MMS."
While it is true that Google released bug fixes on the first week of August, the security research team at Exodus Intelligence said that the Stagefright patch was incomplete. As a result, the team at Android decided to create a new patch that Google claimed was distributed to its partners. The company also added that the patch will become available to Nexus and Nexus Player devices the following month.
As the list of vulnerabilities continues to grow, Android OEMs are therefore prompted to work hand in hand with carriers to assure end users that their devices will receive a monthly patching cycle involving more reliable and more regular security updates.
"The mediaserver deals with multimedia-related tasks, such as opening and reading MP4 files, decoding/encoding an MPEG4 stream, taking pictures, recording videos and audio, and so on," added Wu. "A patch has been delivered by Google, but when it will arrive to user devices depends on the device OEMs."
