TrendMicro has discovered a severe Android mediaserver vulnerability, which can be exploited to perform attacks involving arbitrary code execution.
With this new vulnerability, an attacker would be able to run their code with the same permissions that the mediaserver program already has as part of its normal routines.This attack can be fully controlled, which means a malicious app can decide when to start the attack and also when to stop.
An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk.
Devices with customized versions of Android but with no modification made to the mediaserver component are also affected.
The Android Security team has published the fix in AOSP.