Silent Attack vulnerability can make 500 million Android smartphones go lifeless

Researchers from TrendMicro Labs have discovered a strange vulnerability in Android devices which if exploited renders them silent. Silent here means that, the vulnerability makes the exploited Android smartphone go lifeless, unable to make or receive calls with a lifeless screen.

The Trend MicroLabs website says that this vulnerability is present in all Android smartphones and tablets from version Android 4.3 Jelly Bean to Android 5.1.1 (Lollipop). Trend has not clarified whether the the current Android M version is susceptible to the attack.

The versions Android 4.3 to Android 5.1.1 (Jelly Bean to Lollipop)  are used in almost half of the Android smartphones in circulation which means that almost 500 million Android smartphones are vulnerable to this vulnerability.

The Silent Attack

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted website hosting the PoC code.

The first technique can cause long-term effects to the Android device because if the victim installs an app with an embedded MKV file and if such an App registers itself to auto-start whenever the Android smartphone is booted, the exploit will be triggered crashing the device.

In the second technique, the exploit is triggered when the Android smartphone owner visits a malformed website hosting the code or the device is made to visit such a website.

Trend Micro researchers say that the vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device.

Once the attacker send a malformed video file to Android device, the mediaserver service cant process this video using the Matroska container which is used by files with .mkv extension.

Because of its inability to the process the malformed MKV file, the service may crash rendering the device to go lifeless.

The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.

The source code below – found in theframeworks/av/media/libstagefright/matroska/MatroskaExtractor.cpp file – shows the vulnerability in detail:

865 size_t offset = 1;
 866 size_t len1 = 0;
 867 while (offset < codecPrivateSize && codecPrivate[offset]== 0xff) {//codecPrivate is controlled by the mkv file
 868 len1 += 0xff;
 869 ++offset;
 870 }
 871 if (offset >= codecPrivateSize) {
 872 return ERROR_MALFORMED;
 873 }
 874 len1 += codecPrivate[offset++];
 876 size_t len2 = 0;
 877 while (offset < codecPrivateSize && codecPrivate[offset]== 0xff) {
 878 len2 += 0xff;
 879 ++offset;
 880 }
 881 if (offset >= codecPrivateSize) {
 882 return ERROR_MALFORMED;
 883 }
 884 len2 += codecPrivate[offset++];
 886 if (codecPrivateSize < offset + len1 + len2) {//len1 or len2 maybe 0xffffffff, then integer overflow happened
 887 return ERROR_MALFORMED;
 888 }
 890 if (codecPrivate[offset]!= 0x01) {
 891 return ERROR_MALFORMED;
 892 }
 893 meta->setData(kKeyVorbisInfo, 0, &codecPrivate[offset], len1);//crash in here

Proof Of Concept

The Proof of Concept (PoC) app is given by Trend Micro and reproduced below. It includes a malformed MKV file (res/raw/crash.mkv) to demonstrate how this attack functions. Once the app is started, the mediaserver service will keep crashing.

Silent Attack : Mediaserver vulnerability in Android smartphones running on Jelly Bean to Lollipop renders them lifeless

Figure 1. The mediaserver service continuously restarting after the exploit is triggered

This will cause the device to become totally silent and non-responsive. This means that:

  • No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.
  • The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.

In many ways this vulnerability is similar to the Stagefright attack we reported yesterday. The Stagefright attack is also triggered due to the specific way in which Android OS ecosystem handles the media files. The only difference is that Stagefright attack vulnerability effects nearly all Android smartphones but the Silent attack vulnerability affects only versions from Jelly Bean to Lollipop and how both vulnerabilities handle the media files.

Trend MicroLabs says they informed Google (Android Engineering Team) about the vulnerability in May 2015 but as of now no patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s