Android bug could cause devices to appear ‘dead’

SINGAPORE — A recently discovered bug could cause more than half of Android devices on the market today to be virtually “dead”, said software security firm Trend Micro yesterday (July 29).

The vulnerability is said to be present in devices loaded with Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop).

When exploited, the bug will cause phones to have no ring, text or notification sounds and be unable to make calls.

The phone may also become very slow to respond, or completely non-responsive; And if the phone is locked, it cannot be unlocked.

Trend Micro said that the vulnerability could be exploited in two ways: Either via a malicious app installed on the device, or through a specially-crafted web site. The software security firm added that the first technique could cause long-term effects to an Android device — causing the OS to crash every time it is turned on.

“The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” said the company. “The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.”

The software security firm said that it reported the vulnerability privately to Google in May, but to date no patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix it.

Trend Micro also noted that the bug was “similar” to another recently discovered vulnerability announced on Monday (July 27).

On Monday, enterprise mobile security firm Zimperium said that 95 per cent of android devices could be at risk from one of “the worst Android vulnerabilities discovered to date”.

The vulnerability, named Stagefright, could potentially allow hackers to access Android devices without users even realising that they haveve been compromised.

Trend Micro said that both the Stagefright vulnerability and the bug it discovered are triggered when Android handles media files, although the way these files reach the user differs.