Major Android security flaw leaves 950 million phones vulnerable to being silently hacked
The vulnerability lets an attacker take control of any device running Android 2.2 onwards using multimedia content – but while Google has had a patch since April, 95% of devices remain unprotected.
A huge security vulnerability in Android has been uncovered by a researcher, who revealed that devices can be hijacked using nothing more than a simple MMS message. The exploit is believed to affect almost all Android devices currently in use today, including those running all versions of the OS from Android 2.2 FroYo onwards.
Joshua Drake, VP of platform research and exploitation at mobile security specialists Zimperium, discovered several vulnerabilities in a core component of the OS called ‘Stagefright’, which is used to play, create and edit multimedia files. He describes this latest Android security flaw as “the worst Android vulnerabilities discovered to date”, adding that “if ‘Heartbleed’ from the PC era sends [a] chill down your spine, this is much worse.”
He found that some of these vulnerabilities could be exploited to remotely run code on the device, simply by receiving an MMS message, or by watching a specially constructed video file in a web browser, or even viewing a seemingly innocent web page with embedded media content.
As PC World explains:
The library is not used just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information. This means that users don’t necessarily have to execute malicious multimedia files in order for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.
What makes this threat particularly troubling is that it doesn’t require any authorizing action on the part of the user at all. Drake points out that your phone could receive an MMS while on silent as you’re sleeping, execute malicious code on the device, and then set the MMS message to delete itself, so you’d never even be aware of the fact that your device just got pwned.
However, attackers are limited in the capabilities that can be exploited using this vulnerability; some devices afford higher privileges to the Stagefright framework than others, so the extent of the vulnerability will differ between devices. On most of them, the camera, microphone and and external storage partition will be vulnerable – but Drake believes that around 50% of affected devices run Stagefright with higher privileges, making it easier to gain root access and fully take control.
Drake didn’t only publish information about the vulnerabilities – he also created patches and gave them to Google in April. He says that Google added the fixes to its internal Android code base within 48 hours.
However, the rate at which Android updates roll out is notoriously slow – eight months after its launch, Lollipop had only reached 12% of current devices. Drake believes that around 95% of Android devices in use today – around 950 million in total – are still affected.
You might want to blame the carriers for that, but even Google’s own Nexus devices remain impacted today, as the company has not yet patched all of them against this vulnerability. Drake told PC World that the Nexus 6 was the only device in Google’s range to have received fixes so far, and on his blog post, he even includes screenshots (shown at the top of this article) captured on a hijacked Nexus 5 running the very latest Android release, 5.1.1 Lollipop.
And because many manufacturers and carriers abandon their devices after 18-24 months, rolling out no further updates after that initial period, he believes that it’s optimistic to believe that even 50% of Android devices vulnerable to this threat will actually be properly patched, which – if accurate – will leave a huge number of users at risk.
Drake will present more details on his research into the vulnerability at the Black Hat USA security conference on August 5, and at DEF CON 23 on August 7.