More details have emerged about yet another Android vulnerability, that, like other recent flaws, revolves around how the Google-backed mobile operating system handles media files.
The Android Mediaserver vulnerability might be exploited to perform attacks involving arbitrary code execution, security researchers at Trend Micro warn. The security bug (CVE-2015-3842) affects Android versions 2.3 to 5.1.1, so hundreds of thousands of devices are potentially at risk.
The danger potentially comes from booby-trapped apps, although nothing bad along these lines has been witnessed so far and there are no known active attacks against this vulnerability, which Google fixed earlier this month.
Getting patches applied to vulnerable systems may however take some time due to the fragmented nature of the Android ecosystem as well as the lack of an efficient patch delivery mechanism, at least outside of Google's home-grown Nexus devices.
Trend Micro notes that the latest problem follows a rash of three other major vulnerabilities in Android’s Mediaserver component. The CVE-2015-3823 flaw creates a means to trap phones in endless reboots, ANDROID-21296336 may render devices silent, and CVE-2015-3824 (Stagefright), can be used to install malware through a multimedia message.
The security firm reported the issue, along with the corresponding proof-of-concept (harmless exploit code that relies on the bug to work), to the Android Security Team on 19 June. Google, which accepted the flaw as a high severity vulnerability, published a fix on 1 August.
Trend's comprehensive write-up of the flaw – featuring a complete tear-down of the bug – was published on Monday (here). ®