Issues of Android Mediaserver – media files too can be dangerous

Posted on Posted in Mobile malware

Android Mediaserver is designed to be a media scanner and it is based on clever idea: it scans and indexes complete multimedia content such as images, MP3 files and video files stored on a mobile device’s persistent memory. Thus, it is not necessary to perform one scan for video files by a user’s favorite video application, another scan for music files by a music player application, etc.  Android Mediaserver executes only one multimedia scan and its results will be available to all multimedia applications currently installed on the user’s mobile device. It sounds great: only one scan instead of multiple scans performed by different user’s applications. This way saves CPU, battery and last but not least the time needed for multiple scanning. Unfortunately, there are a lot of issues related to Android Mediaserver.

The first problem has been described in one post called “Media Server eating my battery?”. It was caused by incessant rescanning of file system, which resulted in huge battery consumption – around forty percent (in some cases even more). However, it was just a bug which did not represent a security threat unlike following issues.

 

The first occurrence of Remote Code Execution Vulnerability in Mediaserver (CVE-2015-3864) was announced on September 9, 2015 . There is a very good explanation of the problem: “Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824. ” Please, notice this part:  “allows remote attackers to execute arbitrary code via crafted MPEG-4 data” which means video files could be dangerous and it can cause serious harm. It is relatively a new trend which is not well known in Android community. Users have learned to watch out for apk installation files and most of them does not install them from unknown sources to their phones and tablets but they are not aware of multimedia files threats. That is the reason why this is a particularly dangerous issue.

 

The other Remote Code Execution Vulnerability in Mediaserver has been published in Android Security Bulletin (CVE-2016-2428 and CVE-2016-2429).

Here is the description of CVE-2016-2428:

  • libAACdec/src/aacdec_drc.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not properly limit the number of threads allowing remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted media file, aka internal bug 26751339.)

Here is the description of CVE-2016-2429:

  • libFLAC/stream_decoder.c in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not prevent free operations on uninitialized memory, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted media file, aka internal bug 27211885.

 

Notice that both CVE-2016-2428 and CVE-2016-2429 can be caused by crafted media files! In other words, not only executable files but also media files pose security risk on the Android platform.  Security issues CVE-2015-3864, CVE-2016-2428 and CVE-2016-2429 imply that users should be careful about downloading media files to their mobile devices.

 

Announcement: if you have any suspicious media files on your Android smartphone or tablet, please let me known on address: oulehla@fai.utb.cz.

 

I hope you enjoyed this post and make sure to follow me.

 

@Milan Oulehla