Researchers recently uncovered a critical security flaw that threatens to expose almost a billion users to what's being considered as "one of the worst Android vulnerabilities discovered". The security hole found at the heart of the widely-used operating system is said to have been first spotted last April, and potentially affects 95% of all Android devices, or an estimated 950 million Android smartphone and tablet users running on versions 2.2 or later.
The bug was found in Stagefright, one of Android’s media libraries that it uses to read and display multimedia files in varying formats. It was also reported that multiple remote code execution vulnerabilities were spotted, all of which could potentially be exploited in a number of methods.
The flaw can be exploited without any form of interaction, making it different from other attacks that basically bank on a user’s wrong move like clicking on a malicious link or downloading a poisoned attachment. This means that all an attacker needs is the target’s phone number and a malformed media file attached to an MMS and sent the unknowing victim’s way.
More advanced tactics could be used to stealthily compromise a device—even when the owner isn't using it. This is done by deleting the message even before the user gets to see it, thereby leaving no trace that the device has been compromised. Once infected, attackers will be granted significant control over the victim’s device, giving them remote access to the device's applications such as the audio recorder and camera for surveillance. Apart from spying, attackers can also take new images and record audio with the infected Android device. A more complete look into the discovered vulnerability is slated to be divulged by the researchers in the upcoming Blackhat conference in Last Vegas.
To date, researchers have not been alerted of attackers weaponizing these vulnerabilities to their advantage. However, it is now a question of how soon and how quickly attackers can see this as an opportunity to turn Android users into victims. Upon its discovery, researchers have promptly given notice to Google about the crippling vulnerability. Google has taken necessary actions to address the flaw.
In a statement, Google said, “The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.” Other Android partners, namely HTC, Blackphone, Samsung, Nexus and T-Mobile , have expressed active participation on actions needed to ensure user safety.
Until patches have been deployed, users are advised to turn off the Auto-retrieve setting on their Android device to lessen risks of infection. In the same light, users are urged to be more careful of multimedia files that come from unverified and suspicious sources. A security solution such as Trend Micro Mobile Security adds an extra layer of security for Android devices by defending users from exploits that alter system functions.
Update - July 31: Evidently, sending malicious apps via MMS isn't just the only way to exploit the Stagefright vulnerability. Another flaw in the system's mediaserver component involves its inability to properly handle a malformed MP4 file, which leads to a bug that could be exploited. More details regarding the flaw, as well as a number of possible attack scenarios can be found in the TrendLabs Security Intelligence Blog post: MMS Not the Only Attack Vector for “Stagefright”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.