Silent Attack vulnerability can make 500 million Android smartphones go lifeless

Silent Attack : Mediaserver vulnerability in Android smartphones running on Jelly Bean to Lollipop renders them lifeless (Updated)

Researchers from TrendMicro Labs have discovered a strange vulnerability in Android devices which if exploited renders them silent. Silent here means that, the vulnerability makes the exploited Android smartphone go lifeless, unable to make or receive calls with a lifeless screen.

The Trend MicroLabs website says that this vulnerability is present in all Android smartphones and tablets from version Android 4.3 Jelly Bean to Android 5.1.1 (Lollipop). Trend has not clarified whether the the current Android M version is susceptible to the attack.

The versions Android 4.3 to Android 5.1.1 (Jelly Bean to Lollipop)  are used in almost half of the Android smartphones in circulation which means that almost 500 million Android smartphones are vulnerable to this vulnerability.

The Silent Attack

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted website hosting the PoC code.

The first technique can cause long-term effects to the Android device because if the victim installs an app with an embedded MKV file and if such an App registers itself to auto-start whenever the Android smartphone is booted, the exploit will be triggered crashing the device.

In the second technique, the exploit is triggered when the Android smartphone owner visits a malformed website hosting the code or the device is made to visit such a website.

Trend Micro researchers say that the vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device.

Once the attacker send a malformed video file to Android device, the mediaserver service cant process this video using the Matroska container which is used by files with .mkv extension.

Because of its inability to the process the malformed MKV file, the service may crash rendering the device to go lifeless.

The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.

The source code below – found in the frameworks/av/media/libstagefright/matroska/MatroskaExtractor.cpp file – shows the vulnerability in detail:

865 size_t offset = 1;
866 size_t len1 = 0;
867 while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {//codecPrivate is controlled by the mkv file
868 len1 += 0xff;
869 ++offset;
870 }
871 if (offset >= codecPrivateSize) {
872 return ERROR_MALFORMED;
873 }
874 len1 += codecPrivate[offset++];
875
876 size_t len2 = 0;
877 while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
878 len2 += 0xff;
879 ++offset;
880 }
881 if (offset >= codecPrivateSize) {
882 return ERROR_MALFORMED;
883 }
884 len2 += codecPrivate[offset++];
885
886 if (codecPrivateSize < offset + len1 + len2) {//len1 or len2 maybe 0xffffffff, then integer overflow happened
887 return ERROR_MALFORMED;
888 }
889
890 if (codecPrivate[offset] != 0x01) {
891 return ERROR_MALFORMED;
892 }
893 meta->setData(kKeyVorbisInfo, 0, &codecPrivate[offset], len1);//crash in here

Proof Of Concept

The Proof of Concept (PoC) app is given by Trend Micro and reproduced below. It includes a malformed MKV file (res/raw/crash.mkv) to demonstrate how this attack functions. Once the app is started, the mediaserver service will keep crashing.

Figure 1. The mediaserver service continuously restarting after the exploit is triggered

This will cause the device to become totally silent and non-responsive. This means that:

• No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.
• The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.

In many ways this vulnerability is similar to the Stagefright attack we reported yesterday. The Stagefright attack is also triggered due to the specific way in which Android OS ecosystem handles the media files. The only difference is that Stagefright attack vulnerability effects nearly all Android smartphones but the Silent attack vulnerability affects only versions from Jelly Bean to Lollipop and how both vulnerabilities handle the media files.

Trend MicroLabs says they informed Google (Android Engineering Team) about the vulnerability in May 2015 but as of now no patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability.

Techworm reached out to Google to comment about the vulnerability and the Google spokesperson told us that in a emailed reply,

“We want to thank the researcher for their report as it helps strengthen Android’s security. While our team is monitoring closely for potential exploitation, we’ve seen no evidence of actual exploitation. 

Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device. So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android.”