That’s right, 950 followed by 6 more zeroes.
If you own an Android smartphone and if you’ve received a text from an unknown sender you should be rooted to your chair in fear right now. The really scary part? All an attacker needs is your phone number, the text needn’t be opened for the insignificant file delivered through an inconspicuous MMS to start activating itself and hack your phone. Anyone from government officials to company executives could be affected.
Dubbed “Stagefright” (a bigger scare than arachnophobia apparently) by researchers at Zimperium, incidentally one of the biggest kids on the block when it comes to mobile security, they claim that it could access 95% of ALL Android devices, an estimated 950 million of the smartphone population around the world. Zimperium zlabs Vice President of Platform Research and Exploitation, Joshua J. Drake, discovered the vulnerability after wading through Android Code. He has since dubbed it the worst Android vulnerability to date. Drake’s research, to be presented at two key events during August, found multiple remote code execution vulnerabilities that can be exploited using several methods, the worst of which requires no user-interaction.
“A fully weaponized successful attack could even delete the message before you see it. You will only see the notification,” is written on a blog post by Zimperium. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Suddenly I’m not so hot for my Nexus 5.
Google themselves have said that no one is affected by the vulnerability, quite an ambitious claim I must add, and have already rolled out a fix for its Nexus devices and plans to release more safeguards for its Nexus devices starting next week. The issue is that popular manufacturers such as Samsung, HTC, etc. are typically still vulnerable having not rolled out patches due to using their own versions of the Android OS. Zimperium also offers a fix and users of the privacy-focused Blackphone and Mozilla Firefox are protected.
If you use Hangouts as your messaging app, deselect the option to Auto retrieve MMS now. Those who use the stock messenger app are safe unless you view the message.
The scary part? Pretty much anyone can use Stagefright. The ironic part? They won’t know how to untill Zimperium showcases the vulnerability at Black Hat (one of the events it will present its research), where the whole world will find out about Stagefright and presumably, how to exploit it at the same time.
Do you use an Android device? What do you think about this recently discovered vulnerability? Let us know your thoughts in the comments below!
