Starting with the critical vulnerability in the Stagefright multimedia engine -- released at the end of July and detailed at Black Hat in early August -- Android security has received a relentless pummeling for weeks. Several of the new vulnerabilities discovered also leverage weaknesses in Android's handling of multimedia, and none of them will be easily repaired by a mere patch.
The silver lining is that attackers have not raced to exploit the vulnerabilities, despite their many attractions. Here's a quick rundown of the latest:
- This week, Trend Micro researchers released details about a Stagefright-like vulnerability (CVE-2015-3842) in AudioEffect, a component of MediaServer, that affects Android versions 2.3 through 5.1.1. The bug could enable arbitrary code execution and give the attacker the same permissions as MediaServer, which has access to the device's camera, photos, and videos. The vulnerability could be exploited by convincing the user to run a file that claims to require no special permissions.
- At the USENIX conference last week, FireEye researchers revealed a vulnerability in the way Android runs multiple processes at once. According to the researchers, these task-hijacking attacks could be used to commit "[user interface] spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities."
- At Black Hat, Checkpoint revealed "Certifi-gate," which takes advantage of a flaw in the Android customization chain. It's a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on Android devices. According to researchers, Certifi-gate would allow attackers to "install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device, including access to the sensitive user and corporate data."
- Also at Black Hat, FireEye researchers revealed ways to circumvent TrustZone to harvest fingerprint images from certain Android devices and hijack a mobile payment authorization process.
- Another vulnerability in MediaServer (CVE-2015-3823) affects Android versions 4.0.1 to 5.1.1 and enabled denials of service, sending Android devices into a cycle of endless reboots.
- Yet another vulnerability in MediaServer affects Android versions 4.3 (JellyBean) to 5.1.1 (Lollipop), and according to researchers, could "render a phone apparently dead -- silent, unable to make calls, with a lifeless screen." Exploits would render MediaServer unable to correctly process malformed video files, which causes the service to crash, "and with it, the rest of the operating system." Trend Micro researchers expected this vulnerability would likely be popular with those dealing in ransomware.