Stagefright code flaw opens 95% of Android devices to hacks
MANILA, Philippines – Some 950 million Android devices – 95% of the Android devices in the world – are at risk of an attack from a multimedia text, described as the "worst" Android vulnerabilities to date.
Six critical vulnerabilities in Stagefright, a media playback tool in Android, leave devices running Android 2.2 Froyo and higher in trouble.
Joshua J. Drake of Zimperium zLabs explained on Monday, July 27, what their blog post termed as "the worst Android vulnerabilities discovered to date."
If an attacker knows your mobile number, they can "remotely execute code via a specially crafted media file delivered via MMS."
Zimperium added: "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited."
In an interview with Forbes, Drake further explained that the type of MMS application in use can also affect whether or not you even see the notification. When the exploit code was opened in Google Hangouts, it would “trigger immediately before you even look at your phone...before you even get the notification,” Drake said.
Because of this, an attacker could delete the message while you were sleeping, keeping you unaware that you had been attacked at all.
Further exploits could be chained as secondary commands following the first attack. Such chained exploits would give an attacker more access to phone functions and data.
The Stagefright vulnerability was assigned with the following CVEs (Common Vulnerabilities and Exposures):
Aside from the patches applied internally to Google's code branches, it seems manufacturers of Android devices, Google included, have yet to make a patch available to users.
Drake will explain what he found in more detail at the Black Hat and Defcon security conferences happening in Las Vegas next week. – Rappler.com
Android phone image from Shutterstock