Researchers at Zimperium zLabs have uncovered a series of vulnerabilities affecting Android operating systems that could affect millions. By simply sending a text message with an infected attachment, a hacker may be able to trigger a remote code execution vulnerability that would allow access to the targeted device.
Reported earlier in April, Joshua Drake, a member of the zLabs research team, discovered what is being called “Stagefright”. Named after the media playback tool in Android, Drake noted that all an attacker would need are mobile phone numbers. From there, an infected Stagefright multimedia message could be texted to unsuspecting devices which would allow the attackers to write code to the device and steal data, including audio, video and photos stored in SD cards.
The vulnerability is said to affect an estimated 950 million phones worldwide. The Android vulnerability affects any phone using Android software made in the last five years, according to Zimperium.
Because of how some applications process incoming text messages, a device could be infected by the remote code execution malware without even knowing that a message had been received. Drake reported that apps such as Google Hangouts would “trigger immediately before you even look at your phone… before you even get the notification”. It would be possible to delete the message before the user had been alerted too, making attacks completely silent, he added.
Google was alerted by zLabs of the discovery and has confirmed that patches were issued and distributed, however it is not clear what devices are still vulnerable. Drake noted that Android operating systems 2.2 and later were all found to be vulnerable. Distribution of patches for these types of vulnerabilities is difficult due to how many different entities are involved and the coordination that is needed.
Unlike the patching of the Apple text hack, where only Apple devices were affected, the Android patches must be made available to multiple manufactures, as well as carriers. As of the time that the initial report was made to Google, roughly 109 days ago, no patches have been released to address the Stagefright vulnerability.
Zimperium, claiming to have the “biggest splash at Black Hat and DEFCON” for 2015, will be showcasing Drake’s findings at the security conference in August.
Although it is unknown if this vulnerability has been exploited in the wild, you can be certain that once the details of the vulnerability are disclosed in full, there will be nothing to keep hackers from attempting to exploit the issue. If indeed there are patches available for this finding, manufacturers and carriers alike have less than two weeks to distribute them.
Gabe Morales is the Senior Security Manager for Accume Partners and has over 15 years experience in IT Security. He specializes in vulnerability testing, social engineering and security awareness training. He can be followed on Twitter @gmorales63. For more updates check out the Accume Blog. For questions or comments, please email me at firstname.lastname@example.org.