Security researchers have published details of a vulnerability in Google's Android platform which can soft- or even hard-brick devices through a malicious app or website, and for which no patch is yet available.
Google's Android platform, acquired by the company ahead of its push into the smartphone market, has proven a stellar success. Android smartphones account for the overwhelming majority of the market with an estimated 78 per cent share, but that success comes at a price: Android has become an extremely tempting target for crackers, criminals, and other ne'er-do-wells. The news, then, that there is an unpatched bug in all versions of Android from 4.3 'Jelly Bean' right through to the very latest Android 5.1.1 'Lollipop' - accounting for more than half of all Android devices in the wild - is unwelcome in the extreme.
'We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen,
' explained Trend Micro's Wish Wu in a blog post
announcing the team's findings. 'This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.
The vulnerability is serious and has multiple exploitation vectors, and there's a bigger problem: Google has apparently been sitting on the issue since late May, and a patch has yet to be developed - leaving even those with fully-updated handsets at risk - following the company's declaration that the flaw is a 'low-priority vulnerability
An example of the vulnerability being used to crash a handset through a malicious app is included below.