A newly discovered Android vulnerability puts data of nearly one billion users at risk

Stagefright Android bug 'worse than Heartbleed'

Hackers could access millions of Android-powered phones via a multimedia message due to a newly discovered vulnerability in the heart of Google’s operating system.

Dubbed Stagefright, the bug, discovered by mobile security firm Zimperium, allows attackers to remotely control devices without the users knowing and cover all their traces in order not to raise any suspicion.

All they need to know is the target’s phone number. Then a simple multimedia message (MMS) that doesn’t even need to be opened by the phone owner would do all the dirty work.

“Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep,” Zimperium explained in a post on its website. “Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”

Cyber-security researcher Joshua J. Drake, who discovered the vulnerability while analysing gigabytes of source code in the Android Open Source Project, said the bug is much worse than the Heartbleed vulnerability that stormed the PC world last year.

Stagefright could expose up to 95 per cent of all Android devices currently in use around the world, a number Zimperium estimates to stand at about 950 million.

Especially vulnerable are devices running older versions of Android before the 2012 release of Jelly Bean, which may be up to 11 per cent.

Stagefright is in essence a media library that processes several popular media formats.

Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

Zimperium did not only inform Google, but also submitted patches to fix the worst issues. Google has already started rolling out the patches but according to Zimperium “that’s only the beginning of what will be a very lengthy process of update deployment”.

In fact, the firm said devices older than 18 months may not receive an update at all.

Drake will present his research at the Black Hat hacking conference in the USA on 5 August and subsequently on DEF CON.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them