The tech firm has actually been working on media file related software bugs in Android OS since July last year when Stagefright – a media-parsing library – was discovered to be flawed. This called for a massive coordinated patching action by Android manufacturers and for monthly updates to be issued by Google, Samsung and LG.
In an effort to address these most recent vulnerabilities, the giant tech company released security updates for its Nexus devices on Monday and is due to publish further patches and stitches today. Manufacturers who are in partnership with Google had already been informed of the vulnerabilities – six critical, two high and five moderate – one month ago and will soon issue updates according to their own schedules.
The most dangerous threat was to be found in the media server Android component, which constitutes a core part of the OS, the one in charge of handling and storing digital media and analysing the corresponding file metadata.
The media server process could be tampered with by attackers so as to make an arbitrary code execution possible, either remotely by tricking users into opening “maliciously-crafted” media files or by sending those files through MMS.
The situation is gradually stabilising as are the five other critical – high-level threats that target the very core of an OS-vulnerabilities were fixed in the release.
One of the flaws was located in the misc-sd driver from Taiwan-based MediaTek. A further flaw was in a driver from UK-based Imagination Technologies. A third one was discovered and solved directly in the kernel. The last two critical vulnerabilities were in the Widevine QSEE Trustzone application.
All of them could compromise the whole system and would require a high-maintenance recovery process. The latter ones could allow malicious activities in the TrustZone context, a hardware-based security extension of the Central Processing Unit architecture, which is separate from the operating system.
What’s really at the core of the matter is the act of rooting – the access to the phone’s inner secrets. It is, in fact, a double-edged sword depending on whose exploiting this possibility: computer wizards that just want to “have fun” or attackers full of bad intentions.
For this reason, Google does not allow rooting apps in its Google Play store. And that is why Verify Apps and SafetyNet – Local Android security features – are in place to discourage such actions.
One extra measure if caution, in order to make remote exploitations of media parsing flaws more difficult to achieve, is the disabling of the automatic display of multimedia messages in Google Hangouts and Messenger app. This security measure was first used in response to the Stagefright flaw back in July.