All a hacker needs to get access to most Android phones is the telephone number tied to the device. Exploits were revealed on July 27th, and don’t require a user to open a corrupted website or download a malicious attachment; a phone simply needs to be able to accept texts and have Stagefright (Android’s default media playback engine) installed.
Researchers have dubbed the attack “Stagefright” and claimed it could access 95% of Android devices (an estimated 950 million around the world), although Google said no one had been “affected.”
Joshua Drake, the Vice President of the Android Platform Research and Exploitation department, said that a target’s mobile number is the only thing needed to launch the hack, which could theoretically hit anyone from government officials to company executives. No one is safe.
Stagefright arrives in a modified file delivered in an unremarkable MMS, which can bypass Android security to execute remote code and potentially allow access to files, storage, cameras and microphones.
Unlike phishing attacks, the user does not need to open the file for it to take effect and may not even notice it. A fully successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.
This vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with an infected device.
Android devices running versions 2.2 (Froyo) and after are vulnerable, especially those using anything older than 2012’s Jelly Bean (4.1).
Google has already released a patch to protect devices and plans to release more safeguards for its Nexus devices starting next week. Google stated, “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at Black Hat.”
Google is offering researchers payment and public recognition to expose security vulnerabilities in the Android Security Rewards Program.
If you’re an end user or enterprise, contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated with the requisite patches. As a recommendation, we encourage you to make sure your devices are currently up-to-date with the latest security patches.