Researchers have uncovered a security bug leaving 95% of Android smartphone and tablet users open to attack.
Zimperium zLabs vice president of platform research and exploitation Joshua J. Drake said that he uncovered the vulnerability, codenamed Stagefright, in an interview with Business Insider.
The bug exists in one of the media libraries used by Android to display and read common file formats, such as PDFs.
“As a result of hastily written code, there are a number of security vulnerabilities in Android devices. One piece of software in particular, called Stagefright, has errors in the code that lets attackers send malware directly to any device where they know the phone number,” explained Drake.
The Stagefright flaw affects phones or tablets running Android version 2.2 or later. According to Zimperium zLabs, this means over 950 million smartphones and tablets are currently vulnerable to Stagefright attacks.
Business Insider has reached out to Google for comment.
How it can be hacked
Drake said the Stagefright flaw is atypical, as a hacker can use it to install malware on a victim’s machine without any interaction with its user.
“The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep,” he explained.
“This is different from spear-phishing attacks, which require users to open an email attachment or click on a link for the attack to be successful. It amounts to an attacker sending a media file via MMS, which again requires no action from the user.”
Traditionally, Android hackers have required the victim to do something wrong — such as downloading a pirated app the hacker has laced with malware from a third party store — for their schemes to work.
Drake said, if exploited, the Stagefright bug could grant hackers a variety of powers over the victim device.
“Once an attack is complete, the hacker has access to many of the phone’s applications, notably the audio and camera,’ he said.
“By controlling these applications, an attacker can essentially spy on their victim by listening in on conversations or watching the device’s surroundings. Sophisticated attackers could also create what we call ‘elevated privileges,’ which would provide complete access to the phone’s data.”
When it will be fixed
Zimperium zLabs is yet to see evidence hackers are targeting the Stagefright bug, and the firm has sent fixes for Stagefright to Google, which it hopes the firm will deploy in the very near future.
“We are yet to find any instances of Stagefright being exploited in the wild,” Drake told Business Insider.
“[Upon] discovering the Stagefright vulnerability, we alerted Google and provided patches for the problem to help them begin the lengthy update process.”
Zimperium zLabs has not publically disclosed all the information hackers would need to exploit the Stagefright flaw. His full research will be shown at Black Hat USA on August 5 and DEF CON 23 on August 7.