It’s like something from a bad movie: eager to learn the details of the bad guy’s dastardly plot, the good guys hack his phone armed with little more than knowledge of his phone number. No physical access to the phone, no tricking him into opening some shady application; just a quick message sent to his phone, and bam — they’re in.
Alas, that’s essentially how a new Android hack works, according to researchers… and the vast majority of Android devices are vulnerable.
Here’s the breakdown:
- Researchers at Zimperium Mobile Labs, where it was discovered by VP of Platform Research and Exploitation Joshua Drake, claim that up to “95% of Android devices” are vulnerable.
- To initiate the attack, the hacker sends a maliciously modified video message. The message is able to circumvent Android’s sandboxing security measures and execute remote code — at which point they’d have near-full access to your device, its storage, its camera and microphone, etc.
- The hack is being referred to as “Stagefright.” “Stagefright” is also the media library that Android uses to process video, and is the bit of code being exploited here.
- In many cases, the device will start processing the message without the user opening the message manually. Just receiving the message is enough to get the ball rolling.
- Worse yet, an attacker could theoretically delete the message themselves as soon as they’ve executed the attack, leaving behind no trace but a notification that most would quickly swipe away with no idea that their device is now under an attacker’s control.
- The bug is said to have been introduced in Android v2.2 (Froyo), but Zimperium has successfully tested it on builds as recent as the latest release, Android 5.1.1 (Lollipop). Devices running a build older than Jelly Bean (4.1) are said to be most vulnerable.
The good news: the bug can be fixed with an over-the-air update, and Google already has a patch ready to go.
view the full story here