Android Phones Open to Attack

Wednesday, July 29, 2015 @ 04:07 PM gHale

Six critical vulnerabilities have left 95 percent of Android phones open to an attack delivered by a simple multimedia text, researchers said.

In some cases, where phones parse the attack code prior to the message opening, the exploits are silent and the user would have little chance of defending their data. The vulnerabilities could be the worst Android flaws ever uncovered.

Android Devices Vulnerable to Memory Hole
Android Factory Reset Not 100%
Android Hole Allows Fake Downloads
Androids Vulnerable Hijacking Attacks

Joshua Drake, vice president of platform research and exploitation from Zimperium zLabs, reported the bugs in April. He said Google sent patches to its partners, but he believes most manufacturers have not made fixes available to protect their customers.

In all, Drake said as many as 950 million Android phones could suffer from the issue. Only Android phones below version 2.2 do not suffer from the issue, he added.

The weaknesses reside in Stagefright, a media playback tool in Android.

They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits to mobile phone numbers, Drake said. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can end up reached with Stagefright’s permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright.

Depending on the MMS application in use, the victim might never know they received a message. Drake found when the exploit code opened in Google Hangouts it would “trigger immediately before you even look at your phone… before you even get the notification.” It would be possible to delete the message before the user ended up alerted to it, making attacks completely silent.

Drake said he sent vulnerability reports along with patches to Google on April 9. Just a day later, according to Drake, Google confirmed the patches would be included in a future release. He reported a second set of issues to Google on May 4, and on May 8 Google confirmed patches were on the schedule. Seven vulnerabilities have fixes ready.