Strava Technologies (P) LTD
Beware! You should be more careful while playing a video on your smartphone—downloaded anywhere from the Internet or received through email.
That's because, a specially crafted innocuous-looking video file can compromise your Android smartphone—thanks to a critical remote code execution vulnerability that affects over 1 billion devices running Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie).
The critical RCE vulnerability (CVE-2019-2107) in question resides in the Android media framework, which if exploited, could allow a remote attacker to execute arbitrary code on a targeted device. To gain full control of the device, all an attacker needs to do is tricking the user into playing a specially crafted video file with Android's native video player application.
Though Google already released a patch earlier this month to address this vulnerability, apparently millions of Android devices are still waiting for the latest Android security update that needs to be delivered by their respective device manufacturers. "The most severe vulnerability in this section [media framework] could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google described the vulnerability in its July Android Security Bulletin.
What makes the issue more worrisome is that Germany-based Android developer Marcin Kozlowski has uploaded a proof-of-concept for this attack on Github. Although the PoC shared by Kozlowski, an HEVC encoded video, only crashes the media player, it can help potential attackers develop their exploits to achieve RCE on targeted devices.
However, it should be noted that if such malicious videos are received through an instant messaging app like WhatsApp or Facebook Messenger or uploaded on a service like YouTube or Twitter, the attack won't work. That's because these services usually compress videos and re-encode media files which distorts the embedded-malicious code.
The best way to protect yourself from this attack is to make sure you update your mobile operating system as soon as the latest patch becomes available. Meanwhile, you are recommended to avoid downloading and playing random videos from untrusted sources and follow basic security and privacy practices.
© 2021 Strava Technologies (P) Ltd. All rights reserved