One of the most dangerous vulnerabilities to hit the Android scene ever has been uncovered: Dubbed Stagefright, the flaw makes all Android devices targets of remote take-over by simply receiving an MMS message, without even having to open or view it.
According to Zimperium, an exploit allows an attacker to gain remote-code execution privileges merely by having access to a mobile number.
“Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart,” explained the company’s research team, in a blog. “[The problem] is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.”
The issues in Stagefright code critically expose 95% of Android devices, which translates to an estimated 950 million devices.
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file. A fully weaponized successful attack could even delete the message before the victim sees it; he or she will only see the notification.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” researchers said. “Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.
Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.
According to Chris Wysopal, CISO and CTO at Veracode, the flaw can be seen as a “Heartbleed for mobile.”
“These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS,” Wysopal said in an email. “All an attacker needs to do is send an MMS to a user’s device phone number, and sit back and wait for the malware to take over.”
Zimperium qualified the Heartbleed comparison: “If ‘Heartbleed’ from the PC era sends chills down your spine, this is much worse,” the researchers said.
Google has applied patches to internal code branches, the first part of a lengthy process of update deployment.
“They’ll have to drive the patch quickly and in a manner that impacts every affected device at the same time,” Wysopal said. “Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch. This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device. We’re likely to see Google force down a tool that addresses the vulnerability for everyone.”
That said, two groups of users are already protected against all reported issues. Users of SilentCircle’s Blackphone have been protected as of the release of PrivatOS version 1.1.7, Zimperium noted. And Mozilla’s Firefox, which is also affected, has included fixes for these issues since version 38.