Here’s a nightmare scenario: A simple smartphone exploit that doesn’t require the user to do anything other than receive a text message. If such a thing worries you (and, if you’re an IT manager, in a shop that allows BYOD, it should) then there’s bad news for you: Such an exploit exists for, it estimated, roughly 95% of Android smartphones which runs roughly 82% of the world’s estimated 1.91 billion smartphones.
Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java … These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices.
The company explains:
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
The implications of this vulnerability are enormous because while you can patch your Android device to make it immune to StageFright, you’re not the problem … it’s the millions of other users out there who won’t get around to patching because they either don’t know about the issue or they don’t care.
Anyway, to learn more about the StageFright Vulnerability check out the following:
- NPR: Major Flaw In Android Phones Would Let Hackers In With Just A Text
- Zimperium: How to Protect from StageFright Vulnerability
- Bruce Schneier: Stagefright Vulnerability in Android Phones
If you're in a BYOD environment, good luck. While it appears that no one has (so far) detected that the vulnerability has been exploited, that doesn't mean it hasn't.