A security research company has found what it’s calling “the mother of all Android vulnerabilities” – a flaw in the popular mobile operating system that could give hackers access to millions of users’ personal data.
The flaw was uncovered by the security firm Zimperium,which exists in Android’s media tool, called Stagefright. Hackers only need to have a victim’s Android mobile phone number to send a “remote code execution” bug that exploits Android’s Stagefright flaw. The Android hacking code would be written into a seemingly innocent multimedia message that gets sent to the phone. While the hacker would then be able to snoop around areas of the phone that Android Stagefright’s security permissions allow, a hacker would still be able to access stored photos and videos (including those stored in an attached SD card), record audio and videos, and access the Android device’s Bluetooth.
“What they figured out how to do,” CNET’s Dan Ackerman told CBS News, “is send you a text message that includes a video file in it. Because very often you can get a text that has a photo or video in it. And in the code for that video file is a string of malicious code that will then activate. And the catch is, you don’t have to actually watch the video. Just receiving it is enough to give people, potentially, access to your Android phone.”
In a blog post on its website, Zimperium said 95 percent of Android devices worldwide are vulnerable. “The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers,” it warned.
But the company told National Public Radio that so far, the flaw has not been exploited by hackers. “That’s the good news,” Ackerman said.
The company also said it informed Google – the company behind Android – when it first discovered the vulnerability in April and supplied patches that would fix the problem.
In an updated statement provided to CBS News on Tuesday, a Google spokesperson said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.”
“The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep,” Business Insider quoted Drake as saying.
A Google spokesperson spoke to Business Insider and confirmed the Android Stagefright flaw.
“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.”
The company also noted that it offers rewards programs to encourage security researchers to report any flaws they find and help make the system more secure. Google thanked Zimperium researcher Joshua Drake for his contribution – identifying and reporting the Stagefright vulernability.
But even with a security patch available, many users could still be at risk. Drake told NPR that he estimates only about 20 percent to 50 percent of Android devices currently in consumers’ hands will actually get the updates due to vendors being slow to react – if they react at all.
The number of phones potentially affected could be huge. Android is expected to hold more than 79 percent of the global smartphone market share this year, with more than 1.1 billion devices shipping in 2015, according to a report by the industry analyst IDC.