There’s yet another Android flaw to contend with following the Stagefright Bug. This one can totally brick an Android phone, and as yet, there’s no fix.
Image: Family O’Abé
Trend Micro’s reporting on a flaw in the mediaserver service in all versions of Android from 4.3 up to 5.1 that can be abused either through a specifically crafted app or specifically coded Web site. The Web flaw should only cause a single reboot of a device, but a compromised app could in theory cause an endless non-responsive reboot loop with a dead screen, or in other words, a completely bricked Android smartphone.
This isn’t quite as critical as the Stagefright bug, given that it’s an exploit that does require some user intervention, either by visiting a web site or downloading an app. Here’s the exploit in action if you get all excited by bricked phones, bearing in mind that this is just a proof of concept at the moment.
Trend Micro Discovers Vulnerability That Renders Android Devices Silent [Trend Micro]
Comments
6 responses to “Security Alert: New Android Flaw Can Brick Your Smartphone”
I don’t understand the apps with malicious code in them. Who downloads these things?
People who don’t understand how app stores work
Hypothetical:
So I build an app, charge 0.99c for it, everyone wants that app, but shy away from the cost… Some malicious jerk copies my app, adds some malicious code to it and releases it for free on XDA or something … it gets covered on blogs every where as a free alternative to the awesome app I created, and people are installing it left right and centre … BOOM, your phone just got compromised…
Saying “a completely bricked Android smartphone” is an exaggeration. That would imply even the bootloader is not accessible, which is not the case here.
So simply boot into recovery and either restore from a backup or re-flash the OS. As long as the /data partition isn’t affected (and this exploit doesn’t seem to) it should be entirely possible to restore the device.
Not on stock firmware. Then your only choice is to restore to factory defaults without keeping any data.
Most of people even don’t know how to use the app store.