Here’s a nightmare scenario: A simple smartphone exploit that doesn’t require the user to do anything other than receive a text message. If such a thing worries you (and, if you’re an IT manager, in a shop that allows BYOD, it should) then there’s bad news for you: Such an exploit exists for, it estimated, roughly 95% of Android smartphoneswhich runs roughly 82% of the world’s estimated 1.91 billion smartphones.
Discovered by Joshua J. Drake, VP of Platform Research and Exploitation forZimperium zLabs, the StageFright Vulnerability is unusually effective for attacking unpatched systems:
Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java … These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices.
The company explains:
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.