A new set of critical vulnerabilities in Android smartphones have left 95 percent of Google Android phone users wide open attack with little to no user interaction required. While phishing bugs triggered by users clicking on malicious links are reported pretty regularly, the vulnerabilities discovered by Zimperium researcher, Joshua Drake, require no such action. In some cases, the code can even be triggered silently, without the victims' knowledge, and the catalyst message can be deleted from the device before users even realize they’ve been pwned.
The severity of the bugs make them some of the worst flaws ever discovered in Android devices.
These vulnerabilities affect all Android phones running version 2.2 and above. When security researcher Joshua Drake, reported the bugs to Google in April, the company was quick to send out patches to all partners. But unfortunately, Drake said many manufacturers have yet to make the needed fixes available to the public, leaving as many as 950 million Android phones vulnerable to attack.
Drake discovered six critical remote code execution bugs within Android’s media playback tool, Stagefright. Leveraging the bugs, attackers could gain unauthorized access to devices remotely putting users’ private data at risk.
The attack is quite easily triggered. All a hacker needs is the phone number of a target. They simply send the target a MMS message with a Stagefright exploit packaged within and the user is pwned upon simply viewing the poisoned message.
“You don’t have to try to play the media or anything,” Drake told iDigitalTimes. “You just have to look at it.”
Once the attack is launched, hackers can then write code to the device and steal data from sections of the phone for which Stagefright has permissions. This can then allow attackers to record audio and video and search photos stored in SD cards.
But in some cases, the attack can be even more clandestine. Drake said that if the message with the malicious code was sent through Google Hangouts, it would “trigger immediately” without users even needing to look at the message at all.
“Hangouts pre-renders the thumbnail for the media,” said Drake. “That triggers the vulnerable code without any user knowledge or interaction.”
According to Drake, when sending the attack via Google Hangouts attackers could even delete the message before users realized they’d received it.
“Once the attack has succeed, then the payload can clean up [the evidence],” said Drake.
While Drake doesn’t believe the vulnerabilities have yet been leveraged in the wild, the severity of the issue is nonetheless alarming. Although Google has been quick to send out patches for the vulnerabilities to its partners, there’s still no way of knowing when the patches will make their way to the public. In an emailed statement to FORBES, Google said patches should become available through partners in the coming weeks and months.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device,” the statement said.
The complete details of Drake’s research will be revealed at Black Hat Aug. 1-6 and Defcon August 6-9 in Las Vegas, Nevada.
