There’s a new smartphone bug affecting 95 percent — up to 950 million — Android devices. The worst part, according to the security researcher that exposed the vulnerability, is you don’t have to do or click on anything to potentially have your system hacked.
You just have to receive one text message.
Joshua Drake with the mobile security firm Zimperium zLabs discovered the vulnerability he calls “Stagefright,” which he will be presenting at the Black Hat security conference next week. He said if the “Heartbleed” flaw (remember Heartbleed, which exposed bank data, emails and other private info through a flaw in Internet server coding) “sends chill down your spine, this is much worse.”
“Android and derivative devices after and including version 2.2 are vulnerable,” Drake wrote in a blog post. “Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.”
Here’s how the exploit works (emphasis added):
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via [multimedia message]. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
After Drake identified Stagefright back in April, he and the security firm reported it to Google, which runs Android operating systems, and provided patches to protect vulnerable users. Google, Drake wrote, acted quickly to fix the problem, but he went on to say “that’s only the beginning of what will be a very lengthy process of update deployment.”
This is because devices require a firmware update, which Drake noted “for Android devices have traditionally taken a long time to reach users.” He wrote that devices older than 18 months might not even receive an update.
“We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action. In addition to fixing these individual issues, we hope they will also fix any business processes that prevent or slow the uptake of such fixes,” Drake wrote.
Drake suggested that Android users contact their device manufacturer or carrier to determine if the appropriate security patch has been applied to their system.
A Google representative told Forbes in a statement that its manufacturers would be deploying the appropriate patches and noted that “most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
The good news in this case is that Zimperium doesn’t think the flaw has been exploited yet, Wired reported.
Watch this report about the vulnerability:
(H/T: Huffington Post)
Front page image via Shutterstock.