IT Security: Threats multimedia Android

Trend Micro calls attention to a new security hole related to the management of multimedia files on Android.

For the second time this week, the alert is sounded around the problems security posed by the management of multimedia files on Android .

The American publisher Zimperium Labs Mobile had started the ball rolling on Monday by communicating on the attack Stagefright linked to flaws in the software library of the same name, used to play multiple video formats.

Trend Micro adds with a vulnerability that can be exploited to dive smartphones in a state that can be described as vegetative more of his or vibrator, unable to make calls and receive, almost unusable interface, phone can be unlocked.

More than half of the terminals with Android are concerned, the low issue affecting all versions of OS between 4.3 “Jelly Bean” and 5.1.1 “Lollipop”.

Two solutions exist to step into the breach is a malicious application, a fraudulent web page.

The operating method is different, but the principle is the same: take advantage of a weakness in the service mediaserver, used to index the media files on a device.

Some files specially designed with the Matroska container (usually in .mkv extension) can cause an integer overflow. Either by reading saturation buffer or by writing data to the NULL address, value considered as “impossible.”

The error generated causes a system crash and reboot loop, since the malicious application is set to run at the launch of the OS. So we end up facing a denial-of-service attack (DoS).

It is more difficult with the alternative technique for good reason: opening the browser is required to display the HTML page in which is integrated the trapped .mkv file.

The advantage for hackers is that the hack works even if the preload and autoplay is disabled, as is the case by default on the mobile version of Google Chrome.

One solution: start in safe mode to only load any third component. Then is to access the list of installed applications and then delete the one that is problematic.

Communication Trend Micro takes more than two months after submission of the fault to the team developing Android Open Source Project (AOSP), which acknowledged receipt by assigning a low priority.