Another day, another Android vulnerability. A new security flaw has been found in the mediaserver component of Google’s mobile operating system, the same component that gave rise to the Stagefright bug. The vulnerability in question lies in the way Android handles media files, and if exploited, could allow an attacker to execute arbitrary codes. The vulnerability affects the vast majority of Android devices, running on version 2.3 to 5.1.1. Google has already published a fix for it to the AOSP program, though due to heavy fragmentation in the ecosystem, it could take a while before hitting your device.
Called CVE-2015-3842, the vulnerability has been found in the AudioEffect component of Android’s mediaserver component. The vulnerability, as reported by security firm TrendMicro, lies in the implementation of this feature which does not properly check for buffer sizes supplied by clients. An attacker can abuse this vulnerability by convincing users to install apps that don’t require any special permissions, and afterwards run arbitiary code on their devices.
“It uses an unchecked variable which comes from the client, which is usually an app. For an attack to begin, attackers convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security,”wrote Trend Micro in a blog post.
Among the things that could happen in the aftermath of the attack include compromised control of the camera, improper rendering of mp4 files, tweaks in privacy settings – essentially the tasks that are linked to the mediaserver component.
The comforting part of the news is that there are no known active exploits based on this vulnerability – and Google has already published a fix for it. Though, when will you receive this update on your device depends on the OEM. Trend Micro claims users can download its mobile security suite TMSS to be able to detect any threats trying to use the vulnerability.
