Google Patches Another Stagefright-Style Android Flaw

Security researchers said they have uncovered another “high severity” security flaw in Android, affecting the same component as the widely publicised Stagefright bug and affecting every version of the mobile operating system since 2.3, released five years ago.

Google has added a patch for the flaw into Android’s source code, but such patches may take weeks or months to reach users, if they arrive at all, due to the fact that updates depend upon the policies of individual handset makers and mobile network operators.

Arbitrary code execution

The bug affects Android’s mediaserver component, which handles media files, the same component in which the Stagefright library is found, according to Trend Micro.

The new bug affects the AudioEffect library, part of mediaserver, and could be exploited via a malicious application to execute arbitrary code with the same privileges as mediaserver, Trend said.

“Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk,” wrote Trend engineer Wish Wu in an advisory.

Unlike the Stagefright flaws, which could be exploited simply by sending a video message, even if the message was not opened, the AudioEffect bug requires the attacker to trick the user into installing a malicious application, Wu said.

Difficult to detect

However, this app does not need to ask the user to grant any permissions, and can launch its attack weeks or months later, making it difficult to spot, Wu said.

“Real-world attacks won’t involve apps that are easy to detect,” Wu wrote.

Malware is a growing problem on Android, with nearly 5,000 new malware files produced each day targeting the platform, according to recent figures from G Data Security Labs. Security firm Avast recently estimated that 50 million Android devices are infected with malware.

Trend said users can protect themselves by installing security software, updating their devices with Google’s patch, or lauching their device in safe mode and uninstalling the malicious app.

The patch is, however, only available via particular Android handset makers, and the uninstallation process requires advanced skills, Trend acknowledged.

“This method might prove difficult, especially for those unaccustomed to tinkering with their devices,” Wu wrote.

Trend said there are so far no known attacks targeting the vulnerability.

‘High severity’

Google assigned the bug the reference CVE-2015-3842 and have it a “high severity” rating, Trend said. Its patch was added to the Android source code on 1 August, according to Trend, and is likely to be included in the monthly security updates Google sends to its Nexus range of devices in September.

The company committed to the regular updates due to the attention given to the Stagefright bugs, which affect nearly 1 billion devices. Samsung, LG and others have said they will work with network operators to deliver regular updates.

Google did not immediately respond to a request for comment.

Are you a security pro? Try our quiz!