Those days are gone when an attacker needed physical access to your Smartphone device in order to compromise it. The normal method to infect an Android device is to trick the phone’s owner to install a malicious app, or fool them into clicking on a link that points to a webpage that exploits a vulnerability and silently installs malware onto the device.
Joshua Drake, a security firm with Zimperium, has found a serious vulnerability that breaks all the barrier, and requires no interaction at all by the user. In fact, the vulnerability could allow a hacker to infect your mobile phone, while you’re fast asleep.
The researcher have found that 95% of Android devices running version 2.2 to 5.1 of operating system, which includes Lollipop and KitKat, are vulnerable to a security bug, affecting more than 950 Million Android smartphones and tablets.
Actually Drake has uncovered a way of breaking into an Android user’s phone, and hijacking control of it, just by sending a MMS message with a maliciously-crafted movie file. Once in place, the malware could secretly steal information and spy on your conversations without your knowledge.
Most vulnerable, according to Zimperium’s report, are versions of Android prior to Jelly Bean (version 4.1) which account for something like 11% of the Android population.
The weak point of Android being exploited is “Stagefright”, a code library used to process popular media formats.
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.
Android users who still use older versions need to worry about the vulnerability as there will be no fix for them as those versions are no longer supported by google, opening doors for hackers to perform Stagefright attack.
These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” reads the Zimperium blog post published Monday.
Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised, and you will continue your day as usual—with a trojaned phone.
Stagefright: Scary Code in the Heart of Android
Drake will present his full findings, including six additional attack techniques to exploit the vulnerability, at Black Hat security conference in Las Vegas on on August 5 and DEF CON 23 on August 7, where he is scheduled to deliver a talk titled, Stagefright: Scary Code in the Heart of Android.
