New AudioEffect vulnerability affects every version of Android back to 2.3
Stagefright was one of the biggest and most worrying security vulnerabilities to be discovered in Android for quite some time. Affecting the mediaserver component, Stagefright allowed for the remote bricking of devices with nothing more than a message. Now a new, yet-to-be-named vulnerability has been discovered in the same component, specifically the AudioEffect element.
Known as CVE-2015-3842, the vulnerability allows a hacker to run their own code on a phone using whatever permission they want. Security researchers at TrendMicro discovered the vulnerability and explain that it can be implemented by simply tricking users into installing a specially-designed app that has no permission requirements and is therefore unlikely to raise suspicions.
One of the positive side effects of Stagefright was that it forced manufacturers to agree to monthly security updates. Despite this, and the fact that Google has issued a patch, millions of handset remain vulnerable not only to Stagefright, but also to the more recent AudioEffect exploit. A patch might well be available, but it could take months to make its way to users, and huge numbers of handsets are simply no longer supported.
It's not all doom and gloom, however. TrendMicro brings the news that there are not currently known to be any active attacks that exploit this vulnerability -- but this could change. Google may have published details of a fix, but the length of time it takes for carriers to push out updates, coupled with the spread of information about the exploit, means that many people are likely to fall victim before the problem is properly contained.
Writing about the vulnerability on the TrendMicro blog, mobile threat response engineer Wish Wu says:
This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected.
The advice at the moment is to use the Trend Micro Mobile Security (TMMS) to detect any malicious apps that might be installed and then remove them through safe mode.