www.downlotz.com
Researcher at Zimperium zLabs has uncovered a series of vulnerabilities affecting the Android operating system that could affect millions of individuals. By simply sending text messages with infected attachments, hackers may be capable to trigger remote code execution vulnerabilities that allow access to targeted devices.
Previously reported in April, Joshua Drake, a member of the zLabs research team, discovered the so-called “Stage Fright”. Named after the media playback tool on Android, Drake noted that all the attackers needed was a cellular phone number. From there, infected Stagefright multimedia messages can be sent to unsuspecting devices allowing attackers to write code to the device and steal data, including audio, video, and photos stored on SD cards.
The vulnerability is claimed to affect around 950 million phones worldwide. The Android vulnerability affects any phone using Android software built within the last five years, according to Zimperium.
Due to the way some applications process incoming text messages, a device can become infected with remote code execution malware without knowing that the message has been received. Drake reports that apps like Google Hangouts will “trigger before you even look at your phone… before you even get a notification”. It is also possible to delete messages before the user is alerted, making attacks entirely silent, he added.
Google was alerted by zLabs to the discovery and has confirmed that a patch has been issued and distributed, but it is not clear what devices are still vulnerable. Drake noted that Android 2.2 and later operating systems were found to be vulnerable. Patch distribution for this kind of vulnerability is difficult as a result of the numerous different entities involved and the coordination required.
As opposed to patching files Apple text hack, where only Apple devices are affected, Android patches should be available for some manufacturers, in addition to carriers. At the time of the initial report made to Google, around 109 days ago, no patch had been released to address the Stagefright vulnerability.
Zimperium, claims to have “biggest splash at Black Hat and DEFCON” for 2015, will present Drake’s findings at a security conference in August.
While it isn’t known whether these vulnerabilities have been exploited in the wild, you can rest assured that once the details of the vulnerabilities are fully disclosed, there will be nothing to stop hackers from trying to exploit the problem. If certainly a patch is available for these findings, manufacturers and carriers alike will have less than two weeks to distribute them.
Gabe Morales is Senior Security Manager for Accume Partners and has over 15 years of experience in IT Security. He specialises in vulnerability testing, social engineering, and security awareness training. He can be followed on Twitter @gmorales63. For more updates check Akum Blog. For questions or comments, please e-mail me at gmorales@accumepartners.com.
