Researchers warn of major Android vulnerability

July 30, 2015 // 12:41 p.m.

Tags: #0-day #android #android-43 #denial-of-service #insecurity #security #smartphone #vuln #vulnerability #zero-day

Companies: #google #trend-micro

Security researchers have published details of a vulnerability in Google's Android platform which can soft- or even hard-brick devices through a malicious app or website, and for which no patch is yet available.

Google's Android platform, acquired by the company ahead of its push into the smartphone market, has proven a stellar success. Android smartphones account for the overwhelming majority of the market with an estimated 78 per cent share, but that success comes at a price: Android has become an extremely tempting target for crackers, criminals, and other ne'er-do-wells. The news, then, that there is an unpatched bug in all versions of Android from 4.3 'Jelly Bean' right through to the very latest Android 5.1.1 'Lollipop' - accounting for more than half of all Android devices in the wild - is unwelcome in the extreme.

'We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen,' explained Trend Micro's Wish Wu in a blog post announcing the team's findings. 'This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.'

The vulnerability is serious and has multiple exploitation vectors, and there's a bigger problem: Google has apparently been sitting on the issue since late May, and a patch has yet to be developed - leaving even those with fully-updated handsets at risk - following the company's declaration that the flaw is a 'low-priority vulnerability.'

An example of the vulnerability being used to crash a handset through a malicious app is included below.


Discuss this in the forums

QUICK COMMENT

Week in review

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU