New Android bug renders device silent, unresponsive

A newly-discovered vulnerability in the Android operating system would allow attackers to place a target device in a vegetative state, rendering it unusable, security researchers have found.

Infosec firm Trend Micro today said it had discovered a denial-of-service bug that can be exploited to make devices silent and unresponsive.

Successful exploit of the vulnerability would remove the device's ringtone, text tone and notification sounds, indication of incoming calls and the user's ability to accept calls. 

It would also remove the ability for locked devices to be unlocked.

Trend Micro pointed out that attackers would not be able to steal data or exert control over the phone through the exploit. The vulnerability would be most effective in ransomware-type attacks.

The vulnerability exists with the Android mediaserver software and affects versions of Android from 4.3 to the current 5.1.1 - meaning more than half of all Android devices currently in use are vulnerable.

The issue lies with a failure to safeguard against memory overflows in the mediaserver software. It means a specially crafted video file - using the Matroska container - can force the software to write data outside of its memory allocation, resulting in a system crash.

Attackers can exploit the vulnerability either through a malicious app installed on the infected device or through a specially crafted website.

The attack would be even more effective should the malicious app be configured to auto-start whenever the device is switched on - causing it to crash every time the phone boots.

Trend Micro said it reported the bug to Google in May but the company is yet to release a patch.

One way to mitigate against the problem is to ensure your device is not set to accept software from unknown sources in its 'security' settings, Trend Micro wrote.

The discovery of the vulnerability comes just two days after the critical 'Stagefright' bug in Android was made public.

On Tuesday security researcher Joshua Drake revealed he had found what could be one of the worst vulnerabilities in Google's Android mobile operating system to date.

He discovered that the Stagefright media library - used for time-sensitive applications - is vulnerable to memory corruption, leaving close to a billion devices open to remote code execution.

Google issued patches for the bug soon after it was alerted to the issue by Drake.