Trend Micro’s Wish Wu:
We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.
This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.
In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.
Kind of a bad week for Android’s security superiority. You remember all those security experts who were so up in arms about Apple’s ads saying the Mac had less malware? Wonder what they think about Google and its apologists saying all is well.
(Hat tip to Charles Arthur.)