A flaw called “Stagefright” in Google’s Android operating system could let hackers take over a phone with a message — even if the user doesn’t open it.
A mobile security blog which which discovered the flaw believes it could “critically expose” 95 percent of Android devices.
Stagefright, which the discoverer called the “mother of all Android vulnerabilities,” allows people to send a video containing hidden malware to Android phones via a multimedia message (MMS) application.
These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS.
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification.
These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep.
Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
All the bugs have been provided CVE numbers, used to record and identify vulnerabilities. They include: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829. When the disclosure lands today, security professionals and malicious hackers alike will have enough information to get cracking on exploits. Manufacturers have been urged to make haste in addressing the issues.
