An extremely critical Remote Code Execution (RCE) flaw is affecting over a billion Android devices. All the devices facing this vulnerability are running versions from Android 7.0 Nougat to Android 9.0 Pie.
The media playback for which the Android Media framework is used contains the RCE flaw. This may allow hackers to exploit the vulnerability to their ends by launching remote attacks.
How can your smartphone be hacked?
Basically, a hacker can use a specially crafted file that’s programmed to execute arbitrary code on the victims’ smartphones.
All the hacker needs to do is to encourage you, the victim, to play a video file. This particular video file will be a malicious one. The hacker will motivate you to play this specially created file through Android’s native video player.
Even if you stream the video file through a third-party video app that uses the Android Media framework, the hacker’s job gets easier. Starting with a payload, he can get more privileges, and finally, the entire device will be under his control.
However, the worst part is yet to come. Marcin Kozlowski, an Android developer from Germany, has uploaded a PoC for this Android attack on his GitHub account. This proof of concept (PoC), an HEVC encoded video, illustrates how to crash smartphones with the help of video files. More specifically, it details the process of conducting RCE on Samsung and LineageOS phones.
The PoC that Kozlowski uploaded can only crash the media player. But the developer warns that a properly prepared video can also be used to execute arbitrary code on Android devices.
What’s Google’s take on this flaw?
To overcome this critical RCE flaw, Google has recently published a security update on 1st July, 2019. Android Open Source Projects (AOSP) versions that have already been updated include 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.
In its July 2019 Android Security Bulletin, Google describes the RCE flaw (CVE-2019-2107) as the most severe security vulnerability. This is because it can allow the hacker to launch an attack “within the context of a privileged process.”
But there are still millions of Android smartphones out there that are vulnerable to this security flaw. These phones haven’t received the latest security update yet.
How can you protect yourself?
Even if you receive a malicious video on WhatsApp, Messenger, Twitter, YouTube, or other social media platforms, you’ll be safe. In other words, the attack won’t work on these services. Social media platforms such as these change the embedded-malicious code by compressing videos and then re-encoding the files before sending.
To shield yourself from remote attacks, don’t download and play random videos from unreliable and unknown sources. When a security patch is available, don’t forget to install the latest Android security update.
Has a hacker attacked your phone after you played a malicious video? Tell us about your experience in the comments.