Researchers from cybersecurity firm Zimperium have discovered a vulnerability within Android that allows hackers to access and control a device remotely, with 95% of smartphones and tablets running the operating system (between versions 2.2 and 5.1) thought to be at risk.
The fault, branded Stagefright, is within Android’s media library. All it takes to exploit is a fraudulent MMS message that, once received and the media is downloaded, can give hackers full control over an Android device, without the owner’s knowledge. Zimperium intends to present its findings at the Black Hat 2015 and Def Con security conferences, both in August.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Zuk Avraham, Zimperium’s Chief Technology Officer, said. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Though Google has applied patches through its Android Open Source Project, Zimperium still implores Android device owners to check for software updates regularly, and contact their phone carrier if they think that the appropriate update has not been made available to them.
Google has thanked Zimperium for its findings and assured customers that it is proactively fighting to tackle such exploitations of its software:
“The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device. Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Thank you The Trigger for providing us with this information.