The Month Of Android Vulnerabilities Rolls On

  /     /     /  
Publicated : 22/11/2024   Category : security


The Month Of Android Vulnerabilities Rolls On


Multi-media handling takes the most hits, and there are no easy fixes.



Starting with the
critical vulnerability in the Stagefright multimedia engine
-- released at the end of July and detailed at Black Hat in early August -- Android security has received a relentless pummeling for weeks. Several of the new vulnerabilities discovered also leverage weaknesses in Androids handling of multimedia, and none of them will be easily repaired by a mere patch.
The silver lining is that attackers have not raced to exploit the vulnerabilities, despite their many attractions. Heres a quick rundown of the latest:
This week,
Trend Micro researchers released details
about a Stagefright-like vulnerability (CVE-2015-3842) in AudioEffect, a component of MediaServer, that affects Android versions 2.3 through 5.1.1. The bug could enable arbitrary code execution and give the attacker the same permissions as MediaServer, which has access to the devices camera, photos, and videos. The vulnerability could be exploited by convincing the user to run a file that claims to require no special permissions.
At the USENIX conference last week,
FireEye researchers revealed
a vulnerability in the way Android runs multiple processes at once. According to the researchers, these task-hijacking attacks could be used to commit [user interface] spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities.
At Black Hat, Checkpoint revealed
Certifi-gate,
which takes advantage of a flaw in the Android customization chain. Its a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on Android devices. According to researchers, Certifi-gate would allow attackers to install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device, including access to the sensitive user and corporate data.
Also at Black Hat,
FireEye researchers revealed
ways to circumvent TrustZone to harvest fingerprint images from certain Android devices and hijack a mobile payment authorization process.
Another vulnerability in MediaServer
(CVE-2015-3823) affects Android versions 4.0.1 to 5.1.1 and enabled denials of service, sending Android devices into a cycle of endless reboots.
Yet
another vulnerability in MediaServer
affects Android versions 4.3 (JellyBean) to 5.1.1 (Lollipop), and according to researchers, could render a phone apparently dead -- silent, unable to make calls, with a lifeless screen. Exploits would render MediaServer unable to  correctly process malformed video files, which causes the service to crash, and with it, the rest of the operating system. Trend Micro researchers expected this vulnerability would likely be popular with those dealing in ransomware. 
 

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The Month Of Android Vulnerabilities Rolls On