Cybersecurity group digs into Android source code to reveal vulnerability that could affect nearly 1B devices
New research from Zimperium Mobile Security opens up Android-based smartphones to a text message attack that could be executed with no action by the end-user.
The mobile security solutions firm detailed its findings in a July 27 blog post put out ahead of research presentations scheduled for the Black Hat USA conference on Aug. 5 and DEFCON 23 on Aug. 7.
VP of platform research and exploitation Joshua Drake uncovered the vulnerabilities inside the Stagefright media library, which is written in C++ code.
From the company announcement: “Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Zimperium reports that after discovering the vulnerability they designed software patches, which were immediately passed on to Google. “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”
The devices most at risk were running Android versions prior to Jelly Bean.
