AudioEffect is the source for the vector. It is a component of the Androids media server, and can be achieved on any Android handset with Android operating system versions 2.1 to 5.1.1.
An attacker can engineer a perception of security by deploying an application that doesn’t request any permissions. The application writes a larger value to a memory address which causes a buffer overflow, crashing the media server and creating the opportunity to overwrite a valid address, which holds the code intended by the attacker. Now with elevated permissions, the vector can be executed with the same level of system access that MediaServer holds. Pictures, Video and Audio from the user are at risk.
Documented and demonstrated on a Nexus 6 running Android 5.1.1, TrendMicro Mobile Threat Response Engineer Wish Wu sates AudioEffect has 2 vulnerable files, EffectBundle and EffectReverb, C++ source code files.
“This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop. An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected.
A dilemma users may face is that it will be difficult for them to locate the cause once an attack occurs. In our demo, we simply triggered the attack by running an app; this is convenient and intuitive for disclosure. While attacks can be triggered by apps alone, real-world attacks won’t involve apps that are easy to detect. The malicious app will try as much as possible to appear legitimate and use dynamic load technology to remain undetected while triggering the attack several days/months later, either persistently or intermittently, similar to other malware.”
-Mobile Threat Response Engineer, Wish Wu | Trend Micro
Mr. Wu is the analyst who discovered that 90% of all Android devices are susceptible to Denial of Service attacks through the Matroska Container, a wrapper for multimedia that uses the .mkv file extension. This is another MediaServer vulnerability that is achieved by sending an Android user a simple .mkv movie via MMS. The infected handset goes into CoasterMode indefinitely.
Google is aware of the vulnerability registered as CVE-2015-3842, and has included the fix in the AOSP source. This does nothing however, since none of the OEM’s or carriers use it. None have publicly disclosed that they have disseminated a patch to their customers.