Your Android smartphone can be hacked by just a malformed text message?
Zimperium has published a blog post about a new vulnerability discovered in Stagefright, a multimedia library used in all Android versions since 2.2.
Stagefright is a multimedia playback library used by Android to process, record and play multimedia files. The library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.
From Zimperium Blog:
These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices.
and about the exploitation:
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
Screenshots taken on a Nexus 5 running Android Lollipop 5.1.1:
There is a fix?
Google has patched the code and sent it to device manufacturers, but devices require over-the-air updates from companies such as Samsung or Motorola to update their customers’ phones.
- OpenSSL Security Advisory, 3rd May 2016: Patch, Patch ASAP!
- Tor in a company network: how to detect and block it?
- Mazar BOT campaign in Denmark and Italy
- BadLock: let's take stock of situation!
- The Panama Papers Leak – What You Need To Know
- Frederike Kaltheuner @ #IJF16: understanding predictive privacy harms