A critical flaw that is staggeringly serious has been uncovered by security researchers at Zimperium zLabs. A flaw which is reportedly the worst ever uncovered as an Android bug, according to a report in Forbes.
“All (Android) devices should be assumed to be vulnerable,” said Joshua Drake, vice president of platform research and exploitation at Zimperium while communicating to Forbes.
A clear threat
Drake warned that a simple multimedia text could trigger an attack wherein phones automatically parse the attack code even before the text is opened or viewed. This makes the exploit particularly dangerous in their stealth state, giving mobile users little or no chance to defend their data against such an attack.
“This happens even before the sound that you’ve received a message has even occurred,” Drake says, before adding: “That’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”
The researchers at Zimperium discovered that the flaw fundamentally exists in the default media playback tool built into the Android system, called Stagefright.
Stagefright, set to fright
Drake had reported the bugs to Google earlier this year in April. He even sent his patches over to Google in order to fix the bug(s).
“Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” Drake told NPR. “You know, that’s a very good feeling.”
Google has already created patches to fix the vulnerability and has sent out patches to vendors and manufacturers. However, fixes and patches haven’t been rolled out by the hardware companies yet and this leaves nearly all Android devices vulnerable, according to Drake.
Here’s how a potential hack could work:
- Attackers could create a text or a short multimedia video embedded into a text along with hidden malware in it before texting it to your number.
- The automatic ‘parsing’ happens now. In other words, the default SMS application instantly processes the embedded video to keep them instantly accessible at a trigger’s notice in the phone’s memory. The malware is now embedded into the phone.
- From this, the malicious hacker or attacker could potentially take complete control over the phone.
Such a comprehensive hack would allow the attacker to:
- Copy data including emails, texts, stored credit card data and encrypted passwords.
- Take control of the microphone on the phone to record every conversation.
- Take control of the camera on the phone to monitor every move.
Hardware manufacturers are expected to take the vulnerability seriously and roll out the patches soon, according to security researchers. We’ll keep you updated on this developing story.