Android users are threatened by a new vulnerability dubbed Stagefright in the popular Google mobile OS, which allows hackers to gain control of the system without raising suspicion.
Another disconcerting aspect of the Stagefright flaw is that it potentially affects 95% of Android devices running version 2.2 to 5.1 of the Google OS (roughly 950 million smartphones ). Experts at security firm Zimperium announced the Stagefright vulnerability as the worst Android flaw in the mobile OS history, and confirmed that they will reveal more details at the next BlackHat or DEFCON in Las Vegas this year.
The Stagefright flaw affects a media library app that is used for by Android to process Stagefright media files. According to the experts at Zimperium the media library is affected by several vulnerabilities.
Joshua Drake from Zimperium discovered seven critical vulnerabilities in the native media playback engine called Stagefright, the expert defined the Stagefright flaw the “Mother of all Android Vulnerabilities.”
The attackers can exploit the vulnerability by sending a single multimedia text message to an unpatched Android device, according to the security firm Google has already issued a patch and has sent out to it to the company’s partners. However, most manufacturers haven’t already distributed the patch to their customers exposing them to cyber attack
Once the attackers have successfully exploited the vulnerability, they would be able to write code to the mobile device and steal user data, including audio or media files or photographs stored in the SD cards. The attackers can remotely control the device, accessing audio from microphone, reading emails, and exfiltrating sensitive data.
The experts at Zimperium explain that, unlike spear-phishing attacks, where victims need to open a malicious file or click on a like to a domain used to serve a malware, the Stagefright vulnerability can be triggered even if victims are not using the smartphone.
Once the exploit has been delivered, the attacker can delete the message before the user will notice it, making attacks very insidious and impossible to detect.
“All devices should be assumed to be vulnerable,” Drake told Forbes. Drake says that only Android phones below version 2.2 are not affected by this particular vulnerability. “I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it,” Drake added.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.