Another day, another Android issue: New developments from the Stagefright vulnerability have now emerged. In addition to hackers using MMS to access phones, Trend Micro has revealed to Google two additional methods for criminals to gain complete control of a device.
Devices can be infected using malicious video files that auto-play when opening a website. Once the video has played, attackers can bypass the disabling of auto-play videos in Chrome and gain complete control of the device.
Malicious apps or MP4 files can also be built to exploit the vulnerability. Once they are downloaded and opened, attackers can take over.
While disabling MMS will protect from one of Stagefright’s vulnerabilities, it won’t protect against these two new attack vectors.
“Unfortunately, there are no known mitigations for web-based video attacks, leaving users defenseless if they come across such a video,” the firm said.
The vulnerability is in the media-server component, which is responsible for handling open media files. In this case, it cannot correctly handle a malformed MP4 file, and it may trigger a heap overflow and overwrite data in the heap. This can lead to code execution, which may lead to an app being downloaded onto the device.
The root cause of the vulnerability is an integer overflow when parsing an MP4 file, causing memory to be written out of the buffer. Specifically, it occurs when the media-server parses tx3g-flagged data; this is normally used to provide text subtitles.
The flaw is just one of the seven vulnerabilities in the Stagefright cluster.
Earlier in the week Zimperium zLabs revealed the first iteration of Stagefright, which can be used to install malware on a device via a simple multimedia message, without the user’s knowledge.
Versions of Android from 4.0.1 to 5.1.1 are affected; this represents 94.1% of all Android devices in use today. A patch has been delivered by Google to phone manufacturers, but when it will arrive to user devices depends on the device OEMs. In addition, customized Android versions that did not modify the media-server are also at risk.