Android users are being warned of another serious security threat that can render devices all but unusable. The flaw, uncovered by security firm Trend Micro, is the second major threat to come to light this week after the Stagefright flaw.
Trend explained that the flaw effectively 'bricks' any phone by rendering the screen blank and making it unable to make calls or play sounds.
"We have discovered a vulnerability in Android that can render a phone apparently dead - silent, unable to make calls, with a lifeless screen," Trend said.
The flaw affects all versions of Android from 4.3 Jelly Bean to the latest 5.1.1 Lollipop. This is around half of all Android devices currently in use.
The attack works by automatically loading a file with an .mkv extension that crashes the phone every time it starts.
“An app with an embedded MKV file that registers itself to auto-start whenever the device boots would cause the OS to crash every time it is turned on,” Trend said.
The attack can be carried out through a malicious app or a specifically crafted web page. Trend said that these tactics are often successful, as users can easily be duped into downloading seemingly legitimate apps that contain malware.
"We’ve discussed in the past how repackaged apps pose a problem for users who may have a hard time differentiating legitimate apps from repackaged ones," Trend noted.
The firm added that the flaw could easily be used by crooks to create a new form of ransomware, so that device owners are asked for payment to have the malicious app removed.
The video below shows the flaw in action.
Trend said that it alerted Google to the problem in May and that the firm assigned it as a "low priority vulnerability". Since then no further action has been taken.
“No patch has been issued in the Android Open Source Project code by the Android engineering team to fix this vulnerability since we reported it in late May," Trend said.
Google said it would issue a fix in future versions of Android but denied that there was any major risk to device owners.
"While our team is monitoring closely for potential exploitation, we've seen no evidence of actual exploitation. Should there be an actual exploit of this, the only risk to users is temporary disruption to media playback on their device," it said.
So, simply uninstalling the unresponsive application or not returning to a website that causes the browser to hang would correct the issue. In addition, we will provide a fix in a future version of Android."
The vulnerability is the second major threat to come to light this week after security firm Zimperium Labs uncovered a flaw dubbed Stagefright that could affect some 950 million devices.
The attack works by sending an MMS to a mobile containing a specially crafted media file. This can gain access to the Android source code without any user interaction.
Google has created a fix but, as it will require updates to be rolled out by manufacturers, it could be many months before devices are free from the threat.
Security firm FireEye said that Android owners should turn off the MMS feature on their devices to avoid falling victim.
A fast, gorgeous but expensive display
Intel wants to get inside your car, despite missing out on mobile
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'