file photo by ArtChick
Booby-trapped MMS messages and websites exploit flaw in heart of Android.
Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.
The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in “Stagefright,” an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.
In a blog post published Monday, Zimperium researchers wrote:
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.
The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month’s Black Hat security conference in Las Vegas, where he’s scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.