Researchers from TrendLabs Security Intelligence have discovered a vulnerability in Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop) that could help an attacker to turn a phone “dead silent, unable to make calls, with a lifeless screen”.
Researchers have said that the flaw would cause phones to have no ring, text or notification sounds and be unable to make calls.
According to a post in its blog, “This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.”
The researchers said that the vulnerability was similar to the recently discovered Stagefright vulnerability. Both vulnerabilities were triggered when Android handles media files, although the way these files reached the user differs.
Researchers from Zimperium Mobile Security, a security firm, had discovered Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.
Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.
“The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” said the company. “The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data,” the blog post read.
Although, the flaw was reported to the Google in May, the company concerned has been able to fix the issue.