Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Don't want pranksters 'bricking' your Android? Just stop using the internet, duh – Google

Thanks for the top tip, now where's the patch?

Video Trend Micro peeps say they have discovered a security bug that miscreants can exploit to seemingly murder millions of Android smartphones.

A device will appear lifeless and unable to make calls, with a dead screen and no sound output, if an attack is successful, we're told. All a victim has to do is visit a dodgy webpage, or run an app containing a malicious file. Rebooting the supposedly dead smartphone will revive it.

Google's solution is to simply get over it, not browse untrusted websites on your phone, and avoid installing evil applications. A patch to fix the hole is on its way, we're told.

The vulnerability stems from an integer overflow bug in Android's media server service, which can be exploited by a malformed video file in a Matroska container. When Android tries to index the file, it crashes, bringing the rest of the operating system down with it.

"Ransomware is likely to use this vulnerability as a new 'threat' for users: in addition to encrypting data on the device, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom," said Trend's mobile threat response engineer Wish Wu.

As a proof-of-concept, Wu created a seemingly normal application that included the malformed .mkv container. When the user taps the app's icon, the phone is swiftly borked:

Youtube video

In addition to this, Wu set up a website hosting the same file. When the phone is directed to the site – something that's easy enough to do for a reasonably confident social engineer – the phone suffered similar problems.

The flaw affects Android versions 4.3 and above, meaning about half of all 'droid handsets out there are vulnerable. Trend warned Google of the bug in May but went public with it on Wednesday this week.

Google isn't that concerned about the issue, though, or perhaps it's too busy dealing with the Stagefright clusterfuck. The media server vulnerability is being treated as a low priority.

"We want to thank the researcher for their report as it helps strengthen Android's security. While our team is monitoring closely for potential exploitation, we've seen no evidence of actual exploitation," Google told The Register in a statement.

"Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android." ®

Similar topics

TIP US OFF

Send us news


Other stories you might like