Critical flaw in Android can lead to device compromise just by playing video
- A malware-embedded video when played on the native Android video player could allow attackers to execute arbitrary code on the device.
- Android devices with versions between 7.0 (Nougat) and 9.0 (Pie) are affected by this.
Android versions between 7.0 (Nougat) and 9.0 (Pie) contained a major flaw that could allow attackers to hack the device with just a video. Tracked as CVE-2019-2107, the flaw is a remote code execution (RCE) vulnerability that lies in the Android media framework. As a result, a malware-embedded video when played on the native Android media player could allow attackers to execute arbitrary code and take over the device.
The flaw is patched by Google in its July security update, however, millions of devices are still vulnerable as they are yet to receive the major update from the manufacturers.
The big picture
- A security advisory by NIST describes the flaw to be an out-of-bounds issue. “In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed,” reads the advisory.
- Android versions affected by the flaw are Android 7.0, 7.1.1, 7.1.2, 8.0, 8.1 and 9.
- An RCE attack is possible only if the malicious video is played on the native Android media player.
A proof-of-concept (PoC) exploit by software developer Marcin Kozlowski illustrates the flaw being exploited with HEVC video.
“CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE,” said Kozlowski.
Users are advised not to download and play videos from unknown sources, and keep their Android devices updated with the latest version.