​Google patches another 'high severity' bug in Android

More security fixes on the way for Android users after researchers find another flaw in Android mediaserver.
Written by Liam Tung, Contributing Writer

Google has patched yet another security bug affecting Android versions 2.3 to 5.1.1, which security firm Trend Micro says could be used to abuse device owners' privacy.

The bug, likely to be fixed in Google's next monthly security update for Nexus devices, could allow attackers to abuse Android's mediaserver program to spy on device owners.

The bug adds to a growing list of vulnerabilities stemming from the Android component, which was at the root of one of the seven of bugs found in the Stagefright media library. Stagefright prompted Android OEMs to begin working with carriers on processes to ensure end users receive more reliable and regular security updates using a monthly patching cycle.

Trend Micro researcher Wish Wu noted yesterday that Google added a fix for the latest bug, known as CVE-2015-382, to the Android Open Source Project code on August 1, with Google giving the flaw as a high severity rating.

Unlike Stagefright, which could be exploited simply by sending a malicious media file to affected Android devices, in this case an attacker would need to trick victims into installing a malicious app.

Should they achieve this however, "an attacker would be able to run their code with the same permissions that the mediaserver program already has as part of its normal routines," said Wu.

"Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk," he added.

Trend Micro also disclosed a lower severity flaw earlier this month affecting mediaserver that could have been used to lock a device in an endless reboot.

Android security and the notoriously haphazard delivery of updates from the highly fragmented Android ecosystem has been under the spotlight ever since the Stagefright bugs were disclosed.

While Google released fixes for the bugs on August 5, the company last week conceded that the fix didn't entirely patch the flaws and has confirmed it will be releasing a another update in September to fix the problem.

Still, the bug has prompted operators and handset makers to update devices that haven't seen updates in a while. As spottedby Android Police, Verizon yesterday rolled out an over the air update to Samsung's two year old Galaxy S4 on Verizon that didn't can any feature updates but a fix for Stagefright.

Read more

Editorial standards