A major security flaw in some Android devices would only require the attacker to have your cell phone number, according to security research firm Zimperium.
The flaw involves a remote code execution that could be initiated by sending the target Android smartphone user a text message.
"Attackers only need your mobile number," Zimperium's security report said on Monday. "Using [that] they can remotely execute code via a specially crafted media file delivered via MMS."
Even more troubling, the firm says that the message could be deleted before the user even gets to read it with nothing but a notification appearing on the handset.
The vulnerability, which targets a media playback system called Stagefright, could affect an estimated 950 million devices, the company's report warns. "
Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep," it reads.
"Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual with a Trojaned phone."
The firm claims that Android devices using versions prior to the Jelly Bean release Froyo, Gingerbread and Ice Cream Sandwich, which together are currently used by an estimated 11% of Android users are at the most risk. But even updated phones don't get a clean bill of health.
A security patch for the exploit was submitted to Google back in April, according to Zimperium founder and CTO Zuk Avraham. "The security issue could allow an attacker to gain full control of a device," Avraham told.
Once attackers have control of the Android device, according to Avraham, they could execute a number of functions including turning on the handset's microphone and recording audio, taking and downloading photos on the phone, reading emails and Facebook messages and even rerouting phone calls.
"We thank [Zimperium research team member] Joshua Drake for his contributions," a Google spokesperson told. "The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device."
Avraham says a number of Android partners have been slow to apply the update. Still, Google does not appear to view the exploit as a major concern at this point.
"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," said the Google spokesperson. "Android devices also include an application sandbox designed to protect user data and other applications on the device."
Avraham says that his company hasn't seen any executions of the malicious code within its customer base, but noted that this doesn't mean it isn't being used elsewhere.
Drake will present his findings at the Black Hat USA conference in August, and may demonstrate how the exploit works during the event.
0 comments:
Post a Comment