Six critical vulnerabilities in a core Android component called Stagefright have led to an exploit with which one can hack 95% of all Android devices in existence simply by sending them a slightly modified multimedia message (MMS).
Security expert Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium, was the one to discover the exploit in Google’s OS, which only requires knowing the victim’s phone number.
As far as the stock Messenger app is concerned, the exploit won’t occur unless the victim views an MMS with a video file containing malware on their device. However, in the case of other MMS applications such as Google Hangouts, the victim doesn’t even need to open the message or watch the attached video in order for the hack to be activated. The device will automatically process all media attachments in incoming Hangouts messages and, in turn, parse the attack code.
All that’s needed for the exploit to work is the victim’s phone number
According to Drake, under these dangerous circumstances, a hacker could quickly gain control over the device through remote code execution without any intervention from the victim. Even if they were to discover something fishy, the video would have already made its way into the phone’s Gallery app and there would be little the victim could do in order to protect their personal data. The hacker could also delete the message once the exploit is activated, leaving no trace of the malicious content.
Stagefright is the multimedia playback tool behind the automatic processing, playback and recording of multimedia files on Android devices. This framework is the culprit that makes it possible for remote code execution to be triggered once a message is received through MMS apps such as Google Hangouts. Drake warned that nearly every app that handles media files on the Android OS makes use of the Stagefright library in one way or another, essentially leaving devices prone to what are said to be the worst Android flaws ever.
The vulnerabilities have existed in the Google OS since version 2.2
According to Drake, the vulnerabilities have existed in the Google OS since version 2.2. Moreover, devices running Android versions prior to Jelly Bean (4.2) are at under greater threat, as previous versions of the OS don’t feature the exploit mitigations that were built into more recent versions.
In an effort to put an end to these vulnerabilities, Google has successfully patched its internal code branches. Android devices will also require over-the-air updates, though there’s no telling how long manufacturers will take in order to patch them.