Android bug: MMS attack affects ‘one billion’ phones

28 Jul 2015 | Author: | No comments yet »

Android phones can be hacked with text that does not even to be opened, according to a mobile security company..

Researchers at Zimperium have dubbed the attack “Stagefright” and claimed it could access 95 per cent of Android devices, an estimated 950 million around the world, although Google said no one had been affected. Android Cyber security firm Zimperium on Monday warned of a flaw in the world’s most popular smartphone operating system that lets hackers take control with a text message. “Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS (text message),” Zimperium Mobile Security said in a blog post. Joshua Drake, the vice president of platform research and exploitation, said that a target’s mobile number is the only thing needed to launch the hack, which could theoretically hit anyone from government officials to company executives.

That’s because there is reportedly a flaw on some Android devices that automatically downloads pictures, audio or video in text messages you receive. And, according to mobile security experts at the firm Zimperium, there’s a gaping hole in the software — one that would let hackers break into someone’s phone and take over, just by knowing the phone’s number. Stagefright arrives in a modified file delivered in an unremarkable MMS, which can bypass Android security to execute remote code and potentially allow access to files, storage, cameras and microphones. While Apple controls the hardware and software in iPhones, iPads, and iPods powered by its mobile operating system, Google makes Android available free to device makers who customize the code and update it as they see fit. Zimperium took these screenshots were taken on a Nexus 5 (hammerhead) running the latest version, Android Lollipop 5.1.1 “You will only see the notification.

These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. “This vulnerability can be triggered while you sleep. You may not even see anything.” Here’s how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” Google played down the risk, saying no one was known to have been affected Zimperium found that devices running Android versions 2.2 (Froyo) are after are vulnerable, especially those using anything older than 2012’s Jelly Bean (4.1). As soon as it’s received by the phone, Drake says, “it does its initial processing, which triggers the vulnerability.” The messaging app Hangouts instantly processes videos, to keep them ready in the phone’s gallery. A spokesperson for Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected.

Verified email addresses: All users on Independent Media news sites are now required to have a verified email address before being allowed to comment on articles. If you’re using the phone’s default messaging app, he explains, it’s “a tiny bit less dangerous.” You would have to view the text message before it processes the attachment. Once the attackers get in, Drake says, they’d be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. “It’s really up to their imagination what they do once they get in,” he says. He even sent along patches to fix the bugs. “Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” he says. “You know, that’s a very good feeling.” But it goes away very quickly, he says, when you look at how long it’ll take his Nexus, my Samsung Galaxy and your LG or ZTE to get those patches.

Drake says that as few as 20 percent will get fixed, though the figure may be higher than that, “potentially up to the optimistic number of 50 percent.” The company declined a recorded interview. But Adrian Ludwig, the lead engineer for Android security, told NPR the flaw ranks as “high” in the team’s hierarchy of severity; and they’ve notified partners and already sent a fix to the smartphone makers that use Android. “In this case Google is not the actual one to blame,” says Collin Mulliner, a senior research scientist at Northeastern University. “It’s ultimately the manufacturer of your phone, in combination possibly with your carrier.” Android phones are very different from iPhones, for example. The blog Android Central has described the challenge of updating the operating system as an “impossible problem.” Earlier this year, a hole discovered in the Android Web-browsing app was left largely unpatched too. “If you can save money by not producing updates, you’re not going to do that,” he says. “Since the market is moving that fast, it sometimes doesn’t make sense for the manufacturer to provide an update.” NPR has asked leading phone makers and wireless service providers whether they’ll fix the bug. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device. “Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.” HTC: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July.

All projects going forward contain the required fix.” T-Mobile: “These kinds of security fixes are usually released by our third-party device partners, so we’re working with them to ensure those security updates have been deployed.” Also, the company says, “You may wish to contact the device manufacturers directly, as they can tell you more about their specific plans for these security update releases.”

Here you can write a commentary on the recording "Android bug: MMS attack affects ‘one billion’ phones".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site