Android users are being urged to update their devices after the discovery of a new security vulnerability that can be used by hackers to inject malware via malicious media applications.
The flaw, designated CVE-2015-3842, was found by researchers at Trend Micro and affects devices running Android 2.3 to 5.1.1.
Google has fixed and released a patch for the vulnerability as part of the ongoing Android Open Source Project, and Trend Micro said that it has seen no active attacks exploiting the flaw.
However, those who do not update the software remain vulnerable. The Google patch may take time to reach individual users as vendors are in charge of issuing software updates.
The new vulnerability is similar to the Stagefright flaw uncovered in July that affected up to 95 percent of all Android devices, and stems from the Mediaserver component.
Trend Micro researcher Wish Wu explained that a hacker could gain full control of a device by using a malicious application that can decide when to start and stop an attack.
"Since the Mediaserver component deals with a lot of media-related tasks, including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk," he said.
"While attacks can be triggered by apps alone, real-world attacks won't involve apps that are easy to detect. The malicious app will try as much as possible to appear legitimate and use dynamic load technology to remain undetected while triggering the attack several days/months later, either persistently or intermittently, similar to other malware."
Bharat Mistry, cyber security consultant at Trend Micro, told V3 that the open source nature of Android makes the OS vulnerable to such threats.
"With Android you have Google, which has developed the core modules, but then custom variants can be created by anyone and the same also applies for the apps that run on the platform," he said.
"When you couple this with the large independent choice of hardware platforms, i.e. phones/tablets from a host of manufacturers including Samsung, Sony, LG, etc, which in turn will have some slight tweaks to the core OS and vendor-specific apps for the device, it's no wonder these holes or vulnerabilities exist.
"In contrast Apple offers a ‘closed' ecosystem whereby Apple controls the operating system, strictly vets the applications before hosting on the App Store and, more crucially, controls the hardware platform."
Mistry told V3 that Android users should patch their devices immediately and use only trusted applications from official sources.
The patch originally rolled out by Google to fix Stagefright was described as flawed by researchers at Exodus Intelligence earlier this month.
"If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting its own customers what hope do the rest of us have?" said Exodus researcher Jordan Gruskovnjak at the time.
Google acknowledged the flaw and said that a further patch will be released in September.
"We've already sent the fix to our partners to protect users, and Nexus 4, 5, 6, 7, 9, 10 and Nexus Player will get the OTA update in the September monthly security update," the firm said.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers