Six critical vulnerabilities have left 95 per cent of Google GOOGL +1.34% Android phones open to an attack delivered by a simple multimedia text, a mobile security expert warned today. In some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data. The vulnerabilities are said to be the worst Android flaws ever uncovered.
Joshua Drake, from Zimperium zLabs, who reported the bugs in April this year, said whilst Google has sent out patches to its partners, he believes most manufacturers have not made fixes available to protect their customers. ?All devices should be assumed to be vulnerable,? Drake, vice president of platform research and exploitation at Zimperium, told FORBES. He believes as many as 950 million Android phones could be affected, going on figures suggesting there are just over 1 billion in use. Only Android phones below version 2.2 are not affected, he added.
The weaknesses reside in Stagefright, a media playback tool in Android. They are all ?remote code execution? bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright?s permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright.
Depending on the MMS application in use, the victim might never know they had even received a message. Drake found that when the exploit code was opened in Google Hangouts it would ?trigger immediately before you even look at your phone? before you even get the notification?. It would be possible to delete the message before the user had been alerted too, making attacks completely silent, he added.
Read more at FORBES