Stagefright, believed to be the worst Android vulnerability discovered to date, exposes 95 percent of Android devices (an estimated 950 million of them) to external attack.
Joshua Drake from Zimperium zLabs, after “diving into the deepest corners of Android code,” found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.
In layman’s terms, attackers only need your mobile number, through which they can remotely execute code via a specially crafted media file delivered via MMS.
The Zimperium site states that, “a fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.
Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
According to Zimperium, it not only reported the vulnerability to Google’s Android teams, but also submitted patches. Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.
More information is available at the Zimperium website.
Recent Comments