Android BUG dubbed as STAGEFRIGHT.
A mobile security company “Zimperium” has stated that android phones can be hacked with text that user might haven’t opened yet. Joshua Drake, the vice president of platform research and exploitation, Zimperium zLabs, said that a target’s mobile number is the only thing needed to launch the hack, which could theoretically hit anyone from government officials to company executives.
Company stated that around 95% of Android Devices are affected estimating that 950 million devices were affected while Google Denies of any device being affected. Also the researchers said the flaw was “extremely dangerous”.
Hackers were able to send malicious code within a multimedia message that could access a service within Android called Stagefright. After Stagefright had been invoked, which required no action from the victim, other data and apps on the handset could be accessed by the malicious code. “These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the researchers wrote.
Zimperium found that devices running Android versions 2.2 (Froyo) and after are vulnerable, especially those using anything older than 2012’s Jelly Bean (4.1).
Stagefright is a media playback tool in Android. They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. Drake, vice president of Zimperium zLabs noted that all attackers can send out exploits just by knowing mobile phone numbers . From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright.
It all depends upon the MMS used by the hacker, as in few cases victim might never knew that they had even received a message.
Also, the bugs have been provided with a CVE numbers, used to record and identify vulnerabilities. They include: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829. When the disclosure lands today, security professionals and malicious hackers alike will have enough information to get cracking on exploits.
Once the attackers get in, Drake says, they’d be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. “It’s really up to their imagination what they do once they get in,” he says. If you’re using the phone’s default messaging app, he explains, it’s “a tiny bit less dangerous.” You would have to view the text message before it processes the attachment. But, to be clear, “it does not require in either case for the targeted user to have to play back the media at all,” Drake says. The messaging app Hangouts instantly processes videos, to keep them ready in the phone’s gallery. That way the user doesn’t have to waste time looking. But, Drake says, this setup invites the malware right in.
Google has already released a patch to protect devices and plans to release more safeguards for its Nexus devices starting next week. However, millions of devices currently remain unpatched because hardware manufacturers and mobile operators have to distribute updates to customers themselves, and customers can reject updates manually. In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no-one has been affected.
The alternative Android OS CyanogenMod has released fixes for the same.