Security researchers have uncovered flaws affecting nearly all Android devices that they say could allow a smartphone or tablet to be automatically infected with malicious code via a specially crafted MMS message.
The vulnerability, which makes use of a media library named ‘Stagefright’, affects 95 percent of Android devices, or about 950 million units, according to Zimperium zLabs, which said vice president Joshua Drake plans to present his research around the flaw at next month’s Black Hat USA and DEF CON 23 conferences.
“If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse,” the firm said, alluding to a bug disclosed last year that was estimated to leave 17 percent of the Internet’s secure web servers vulnerable, and which security experts called “catastrophic”.
When an MMS message containing video is received by a handset, the affected versions of Android automatically create a preview of the video using Stagefright. The flaw means that a specially crafted message could trigger a memory corruption vulnerability in that library, giving an attacker sufficient privileges to execute arbitrary code.
Zimperium said the vulnerabilies exist in part because Stagefright is written in native C++ code, which is more prone to such issues than languages such as Java.
Because the flaws make use of an automatic process that’s switched on by default in the affected devices, they don’t require any user interaction, and thus can be made entirely invisible by a sophisticated attacker, who could for instance craft exploit code that would remove any sign that the malicious message had been received.
“This vulnerability can be triggered while you sleep,” Zimperium said in its advisory. “Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,” Google confirmed to TechWeekEurope. “Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Devices running earlier Android versions, about 11 percent of the total, don’t include those mitigations and as such are more vulnerable, according to Zimperium.
The firm said Google applied patches to the Android code within 48 hours, but devices would require an over-the-air firmware update in order to receive the patches, a process that’s slow for most handsets and nonexistent for some, the update mechanism varying depending upon the manufacturer of the handset.
“Devices older than 18 months are unlikely to receive an update at all,” Zimperium said.
Another option would be to disable MMS messages via the handset’s carrier settings or, for more advanced users, to use specialised tools to gain administrator access to the device and disable the Stagefright library or manually install a patched version of Android.
Google confirmed it has ranked the severity of the bug as “high”, and Drake said he received $1,337 from the search company for providing the research.
“We thank Joshua Drake for his contributions,” Google stated. “The security of Android users is extremely important to us and so we responded quickly.”
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Is this just another rant on non-Apple mobile devices? There is no need for patches. The issue could be solved by a Hangout app update. And Hangout is not the default app for rarely used MMS.