The latest string up Android-related hacking and security faults place consumers in their most vulnerable position thus far: 95% of all Android phones are susceptible to an attack delivered through a standard multimedia text, and in most cases, the message self-erases before the user even realizes they’ve been breached.
Originally discovered by Zimperium zLabs’ security expert Joshua Drake in April 2015, the bug is believed to affect as many as 950 million Android phones of the 1 billion believed thought to be in use. Chiefly responsible is a bug in the media playback tool Stagefright, included in all Android versions above 2.2. As a remote code execution bug, hackers can piggyback off of an unpatched version of Stagefright by texting an exploit disguised as a multimedia message (MMS) to gain access to all data in the phone attainable through Stagefright’s permissions.
That means that a phone number is all a hacker needs to access a user’s phone and insert malicious code that will then allow them to steal photos, videos, and even record audio completely unbeknownst to the user. What’s worse is that hackers can send the MMS to any application capable of accepting it, and some are automatically activated before the user even receives a pending message notification. Of these, Drake discovered Google Hangouts to be the most notorious, as it would “trigger immediately before you even look at your phone… before you even get the notification,” leaving the victim completely unaware.
Once admission is granted, it wouldn’t be difficult for the hacker to daisy-chaining exploits and “escalate privileges,” as such exploits “are fairly easy to come by on Android, there are quite a few that are public”.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it,” Drake added.
Drake claims that although Google patched the fatal flaw last spring, manufacturers have been extremely sluggish in the patching their products, which accounts for such a wide-scale vulnerability.
Source: Forbes
Learn more about Electronic Products Magazine