"The vulnerability is in media parsing," according to the research. "Which means that the victim's device doesn't even need to play the media."
Parsing is when the device retrieves information including the video length, artist name and title.
The study looked at Android versions 2.2 to 4.0 as well as 5.0-5.1. The attack works best on Nexus 5 but was also tested on HTC One, LG G3 and Samsung S5, although modifications were needed for the exploit to work.
"The victim also has to linger for a time in the attack web page," NorthBit researchers wrote. "Social engineering may increase effectiveness of this vulnerability."
The software research company put together a video showing how it works.
About the Author