Technology
Technology

Stagefright code flaw opens 95% of Android devices to hacks

Victor Barreiro Jr.

SUMMARY

This is AI generated summarization, which may have errors. For context, always refer to the full article.

Stagefright code flaw opens 95% of Android devices to hacks
These vulnerabilities in Stagefright, a media playback tool in Android, can allow an attacker who knows your number to hack your phone while you sleep

MANILA, Philippines – Some 950 million Android devices – 95% of the Android devices in the world – are at risk of an attack from a multimedia text, described as the “worst” Android vulnerabilities to date.

Six critical vulnerabilities in Stagefright, a media playback tool in Android, leave devices running Android 2.2 Froyo and higher in trouble.

Joshua J. Drake of Zimperium zLabs explained on Monday, July 27, what their blog post termed as “the worst Android vulnerabilities discovered to date.”

If an attacker knows your mobile number, they can “remotely execute code via a specially crafted media file delivered via MMS.”

Zimperium added: “A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.”

In an interview with Forbes, Drake further explained that the type of MMS application in use can also affect whether or not you even see the notification. When the exploit code was opened in Google Hangouts, it would “trigger immediately before you even look at your phone…before you even get the notification,” Drake said.

Because of this, an attacker could delete the message while you were sleeping, keeping you unaware that you had been attacked at all.

Further exploits could be chained as secondary commands following the first attack. Such chained exploits would give an attacker more access to phone functions and data.

The Stagefright vulnerability was assigned with the following CVEs (Common Vulnerabilities and Exposures):

  • CVE-2015-1538
  • CVE-2015-1539
  • CVE-2015-3824
  • CVE-2015-3826
  • CVE-2015-3827
  • CVE-2015-3828
  • CVE-2015-3829

Aside from the patches applied internally to Google’s code branches, it seems manufacturers of Android devices, Google included, have yet to make a patch available to users.

Drake will explain what he found in more detail at the Black Hat and Defcon security conferences happening in Las Vegas next week. Rappler.com

Android phone image from Shutterstock

Add a comment

Sort by

There are no comments yet. Add your comment to start the conversation.

Summarize this article with AI

How does this make you feel?

Loading
Download the Rappler App!
Person, Human, Sleeve

author

Victor Barreiro Jr.

Victor Barreiro Jr is part of Rappler's Central Desk. An avid patron of role-playing games and science fiction and fantasy shows, he also yearns to do good in the world, and hopes his work with Rappler helps to increase the good that's out there.
More from Victor Barreiro Jr.