Major security vulnerability discovered in Android devices
Researchers from Zimperium Mobile Security have just discovered a huge security flaw in Android. Attackers can get an Android device to execute code remotely just by sending an MMS which the system believes to contain a video. The security hole, described as „the worst Android vulnerability discovered to date”, can be found on as much as 95% percent of all Android devices out there!
The vulnerability is caused by a piece of insecure code contained within the Android multimedia library called „Stagefright”. It has been used since Android 2.2 Froyo, released in May 2010. Researchers from Zimperium say that in most extreme scenarios the malicious MMS does not even have to be opened by the user in order to execute the external code and let the attacker gain access to sensitive data on your phone. What’s more, some attackers are also able to delete the MMS right after it infects the system, thus leaving the user completely unsuspecting that something is wrong.
Luckily, Stagefright has various levels of system privileges on various devices, thus reducing potential damage on handsets and tablets with newer versions of Android. On most of them, however, the camera, microphone and external storage partition will be vulnerable.
In order to limit potential damage, no specific technical information has been given about how the vulnerability works. The flaw has been reported to Google, who are now working on a fix. However, Google is not able to roll out system updates by itself to other devices than the Nexus, so it might sill take some time until the vulnerability has been fully patched via updates from OEM’s and mobile carriers. In the meantime, the experts from Zimperium advice to NOT use Hangouts as the default messaging app. Also, users should consider using one of many third-party applications that do not automatically download a video until the user opens the text, which might give at least some users timne to delete the message if they see it’s suspicious (from an unknown number).