A newly revealed security vulnerability can crash any device running Android 4.3 Jelly Bean or later, Trend Micro researchers reported today (July 29). Exploits can come either through a website or a corrupted Android app, and the affected device will be temporarily "killed," with a frozen or dark screen, unable to send or receive calls or texts or to respond to button presses or taps.
Users might be able to recover functionality by performing a "hard" reboot, such as by pressing the Power and Volume Down buttons or by temporarily removing the battery. But Trend Micro noted that malicious apps that exploited the flaw — none have yet been reported — could set themselves to run at boot and crash the device endlessly.
Google's own statistics noted that 57 percent of all Android devices ran Android 4.3 Jelly Bean or later as of June 1, so there are likely hundreds of millions of devices worldwide that could be affected by this flaw.
The problem, according to a Trend Micro blog post, lies with a failure to safeguard against memory overflows in Android's media server software, which indexes multimedia (audio and video) files located on a device. A specially crafted video file, based on the open-source Matroska format, can force the media server to write data outside of its memory allocation, causing a system crash.
Trend Micro researchers created a proof-of-concept malicious app that exploits the flaw, as demonstrated in a YouTube video.
The flaw was privately disclosed to Google on May 15, Trend Micro said, but as of today had not been patched in the Android Open Source Project, the free-to-use code underlying all versions of Android.
Users probably can't completely insulate themselves from attacks exploiting this flaw, but can mitigate their exposure by going into Settings > Security and making sure their devices are not set to accept software from unknown sources.
- Mobile Security Guide: Everything You Need to Know
- Your Router's Security Stinks: Here's How to Fix It
- Android M: Top New Features Explained