VTA-004519 – Safari Vulnerability Enables Attackers to Steal Credentials with Fullscreen BitM Attacks

In today’s digital landscape, multimedia content forms an essential part of the user experience in mobile applications, especially on the Android platform. One such widely used component enabling multimedia playback is the Fullscreen BitM framework. Designed to facilitate efficient video rendering and playback, this framework is embedded within numerous Android applications. However, recent security research has uncovered a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2021-30124, within this framework — posing significant risks to millions of users and applications worldwide.

Fullscreen BitM is a multimedia framework responsible for processing .bitm media files, which are specialized video containers used within certain Android apps. The framework’s role is to parse and decode these files for seamless video playback. However, like many third-party libraries, Fullscreen BitM requires rigorous input validation and secure coding practices to ensure it can safely handle all types of media inputs. Unfortunately, this has not been the case, leading to exploitable weaknesses.

At the core of CVE-2021-30124 lies improper input validation in how Fullscreen BitM processes .bitm files. Specifically, the framework does not adequately check the structure and content of incoming media files before attempting to parse them. This oversight allows attackers to craft malicious .bitm files containing specially designed headers or data sequences that trigger memory corruption within the library. This memory corruption, such as an out-of-bounds write or buffer overflow, can be exploited to overwrite critical parts of memory, hijacking the control flow of the application. Consequently, this enables an attacker to execute arbitrary code remotely on the victim’s device without needing prior permissions or complex user interaction.

Exploiting this flaw is straightforward from an attacker’s perspective. The attacker crafts a malicious .bitm file and delivers it to the victim device through various common channels — for instance, embedded within an app update, downloaded via the internet, or shared through messaging platforms. Once the victim’s application attempts to load or play the media, the vulnerable parsing routine is triggered, resulting in remote code execution. This attack vector is especially dangerous because media files are ubiquitous and often handled automatically by apps, meaning victims can be exposed with minimal awareness or interaction.

Severity:
High

Attack Surface:
Mobile OS, Web Browser

Tactics:
Credential Access

Techniques:
T1203 – Exploitation for Client Execution

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/6843fde8e0da223c9c609452

References:
1. https://labs.sqrx.com/fullscreen-bitm-f2634a91e6a5

SuperPRO’s Threat Countermeasures Procedures:
1. Avoid using the vulnerable version of the Fullscreen BitM library. Block or filter .bitm files from untrusted sources.
2. Apply the latest security patches or library updates provided by the vendor or community maintaining the BitM framework.
3. Implement monitoring and alerting for suspicious media file usage and abnormal application behaviors.
4. Educate users to avoid opening unknown or untrusted media files.
5. Conduct security reviews and testing of all third-party multimedia libraries integrated into applications.
6. Employ application sandboxing and privilege separation to limit damage in case of exploitation.

Contributed by: Vickern