The latest vulnerability in Google’s Android operating system is being called one of the worst to date: It lets hackers corrupt a device simply by sending a text message that users don’t even have to open.
According to San Francisco-based security firm Zimperium, there are multiple vulnerabilities in an Android media processing platform known as Stagefright. Attackers can use these vulnerabilities to send media files via MMS that execute code remotely, giving them access to files, permissions and other sensitive information on the phone. The code can allow the bad actor to tap into the infected device’s microphone and video camera.
What makes this exploit so dangerous is the fact that users do not have to click on the malicious media — once the phone has been contacted, the exploit has started to execute code.
Zimperium said the issue critically exposes 95 percent of Android devices, which comes to an estimated 950 million devices. When the company alerted Google about the problem, a patch was pushed in 48 hours.
Despite the quick fix, Zimperium said Android users are still vulnerable. Android’s over-the-air updates normally take a while to reach users. Some older devices never receive updates at all. Roughly 11 percent of Android users are running devices prior to Android 4.1 (Jelly Bean), versions that are most at-risk.
“If ‘Heartbleed’ from the PC era sends [a] chill down your spine, this is much worse,” reads a blog post on Zimperium’s website. “The targets for this attack can be anyone from prime ministers, ministers, executives of companies, security officers to IT Managers and more, with the potential to spread like a virus.”
Users of Silent Circle’s PrivatOS and Mozilla’s Firefox OS have already been patched. FedScoop has reached out to several other mobile device management companies to see what has been done in the exploit’s wake.
We have also reached out to a number of government agency mobility departments to see if there have been any in-house fixes ordered. We’ll update when we hear more.
UPDATE 7.28, 7:00 AM: Enterprise Mobility Management company Good Technology, which works will a variety of government agencies, sent along the following statement:
Zimperium announced that they have discovered what they describe as the “‘Mother
of all Android Vulnerabilities,’ as it impacts 95% of all Android
devices out there and does not require any interaction with the victim.”
we wait in anticipation of the BlackHat and DefCon presentations, we
are also reviewing Android’s StageFright Media Player Architecture.
Initial analysis of the limited information provided indicates that this
vulnerability can’t be used to access any data within the Good secure
that certain devices may have additional vulnerabilities that might
allow broader exploits to be executed, but insufficient details have
been disclosed to enable us to make any further analysis at this time.
Once full details are disclosed by the researcher we will issue an update as required.