• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   Trend Micro Discovers Vulnerability That Renders Android Devices Silent

Trend Micro Discovers Vulnerability That Renders Android Devices Silent

  • Posted on:July 29, 2015 at 2:05 am
  • Posted in:Mobile, Vulnerabilities
  • Author:
    Wish Wu (Mobile Threat Response Engineer)
24

We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.

In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.

Vulnerability Description

The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).

The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data. The source code below – found in the frameworks/av/media/libstagefright/matroska/MatroskaExtractor.cpp file – shows the vulnerability in detail:

865 size_t offset = 1;
866 size_t len1 = 0;
867 while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {//codecPrivate is controlled by the mkv file
868 len1 += 0xff;
869 ++offset;
870 }
871 if (offset >= codecPrivateSize) {
872 return ERROR_MALFORMED;
873 }
874 len1 += codecPrivate[offset++];
875
876 size_t len2 = 0;
877 while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
878 len2 += 0xff;
879 ++offset;
880 }
881 if (offset >= codecPrivateSize) {
882 return ERROR_MALFORMED;
883 }
884 len2 += codecPrivate[offset++];
885
886 if (codecPrivateSize < offset + len1 + len2) {//len1 or len2 maybe 0xffffffff, then integer overflow happened
887 return ERROR_MALFORMED;
888 }
889
890 if (codecPrivate[offset] != 0x01) {
891 return ERROR_MALFORMED;
892 }
893 meta->setData(kKeyVorbisInfo, 0, &codecPrivate[offset], len1);//crash in here

Proof Of Concept

We created a proof-of-concept app that includes a malformed MKV file (res/raw/crash.mkv) to demonstrate how this attack functions. Once the app is started, the mediaserver service will keep crashing.

Figure 1. The mediaserver service continuously restarting after the exploit is triggered

This wil cause the device to become totally silent and non-responsive. This means that:

  • No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.
  • The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.

Figure 2. Unresponsive phone

The video below demonstrates the exploitation through a malicious app.

As for exploitation through the specially-crafted URL, we’ve created a test website with the same MKV file embedded into an HTML page. When this site is loaded using the Chrome browser, we see the same effect:

Figure 3. HTML code of test page

What’s more, although mobile Chrome disables preload and autoplay of videos, the malformed MKV still causes the Chrome to read more than 16MB until mediaserver crashes. It appears to have bypassed the limitation.

Potential threat scenarios

As we mentioned above, there are two ways that this attack can be exploited: the user can either visit a malicious site or download a malicious app.

There are many common techniques that could be used to lure a user to a malicious site. We’ve discussed in the past how repackaged apps pose a problem for users who may have a hard time differentiating legitimate apps from repackaged ones.

Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new “threat” for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom.

Further research into Android – especially the mediaserver service – may find other vulnerabilities that could have more serious consequences to users, including remote code execution. One of them is Stagefright, a recently discovered vulnerability which can infect Android devices using just one MMS.

We reported this vulnerability privately to Google and received responses on the following dates:

  • May 15 – Trend Micro reported the vulnerability to Google
  • May 20 – Google acknowledged the report as a low priority vulnerability identified it as ANDROID-21296336

For ransomware and other apps that may disrupt the functionality of mobile devices, users can opt to reboot their device in “safe mode,” which is similar to the safe mode found in Windows. Safe mode allows users to start up their device without loading any third-party apps. Booting in safe mode should allow users to access the list of installed apps and remove the malicious app. Booting in safe mode may vary per device so we advise users to consult their device or network provider before proceeding.

Protect your Android devices with on-device security solutions like Trend Micro Mobile Security (TMMS) to block threats like these. TMMS watches out for vulnerabilities that can be used to alter system functions like the notification sounds and display.

Find out more mobile stories and graphics in our Mobile Threat Intelligence Center.

Updated on July 30, 2015, 7:54 A.M. PDT (UTC-7) to include more solutions addressing ransomware and other disruptive apps.

Updated on October 25, 2015, 11:25 P.M. PDT (UTC-7)

This vulnerability was assigned as CVE-2015-3861 on September 9, 2015 and a fix has been issued.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidjellybeanMediaservermobile vulnerabilities

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.