Security company discovers new security problem in Android media server

Security firm Trend Micro has found another security flaw in Android that allows a restricted app to run its own code at the media server level. This includes access to the internet and the camera.

The vulnerability resides in the AudioEffect portion of the Android media server, according to security firm Trend Micro. The problem, which enables code execution, is less easy to exploit than the bug in the Stagefright library, also part of the Android media server. This can be misused by serving a malicious video, for example in a chat message or from a website.

Unlike that bug, the bug in AudioEffect can only be exploited from an app. This does mean that an app with limited rights can access the microphone and camera, among other things; code can be executed from the app with rights from the media server. Since the media server also has access to the Internet, an attacker could tap the camera and microphone and pass it on to its own server.

The bug has now been fixed, Trend Micro states, but the bug would still be present in Android 5.1.1. This indicates that the bug will only be solved in practice in the next Android version. In addition, users of old Android versions are still vulnerable.

It’s the third time in a short time that Android media server bugs have come out. In addition to the Stagefright bug, Trend Micro previously discovered an app that can render a phone useless by endlessly rebooting it.

An example app from Trend Micro, with limited access rights