A considerable software flaw, dubbed “Stagefright” has been identified on phones and devices using the Android operating system that allows hackers to gain access to data just by knowing an individual’s mobile number, according to a recent report by the mobile security experts Zimperium.
The report states that targeted users would not have even have to open a corrupted attachment or file; the hacker would simply have to send the user a malicious text message, which upon reception would corrupt the user’s system, allowing the hacker instant access.
When discussing the breach, Joshua Drake, a chief security researcher from Zimperium, and co-author of Android Hacker’s Handbook, said that access is gained “before the sound that you’ve received a message has even occurred…that’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.” He added that once the text message has been sent “it does its initial processing, which triggers the vulnerability.”
Drake makes it clear that for a hacker to gain access s/he would simply have to create a short video with the malicious code hidden inside. The hacker would then send a text to the user’s phone with the video as an attachment.
What makes matters worse is that Android’s own Hangouts app facilitates such an attack, since it processes video attachments instantly to allow users to access them easily in the phone’s gallery. For those using the Android messaging service, the risk of attack is diminished because users would have to actually open the text message before the attachment is processed. Users should be aware, however, that whatever means of access is employed, users would not have to playback the video in order for the hacker to gain access.
Once a hacker has gained access s/he would be able to steal and manipulate any of the data stored on the user’s phone, including copying and deleting documents, passwords, photos, and other files, as well as being able to control any of the phone’s features, including the camera, microphone, the messaging application, and the video and audio functions.
Android is the most widely used operating system on the planet with a market share of around 80% of all phones. According to the report, approximately 950 million users are at risk, which is almost every active Android phone.
A security flaw of this magnitude has led to widespread concern in the Android and smartphone community, particularly because smartphone apps allow users to access banking details, email, and other confidential data easily and without identity verification.
A hypothetical solution
According to Zimperium’s report, the flaw is not yet being exploited by hackers, though it does pose a serious threat to anyone using Android, especially if they are using the Hangouts app.
From a correspondence from April and May 2015, Drake shared his report with Google, which make the Android OS. During the exchange, Drake shared patches to fix the flaw, commenting that “within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great”.
Despite the approval, Drake points out that it will take a long time for the fix to be available to Android users. He estimates that a minimum of 20%, and a maximum of 50%, of users will receive the fix.
Google declined a recorded interview, though in response to the flaw, lead engineer for Android security Adrian Ludwig said that his team had already notified Google’s partners and sent a fix to phone manufacturers that use Android. He also made it clear that the flaw is categorised as “high” in his team’s severity rating system.
With many users calling for Google to provide the appropriate fix to all Android users, Collin Mulliner, a senior research scientist at Northeastern University said that “In this case Google is not the actual one to blame…It’s ultimately the manufacturer of your phone, in combination possibly with your carrier.”
He added “If you can save money by not producing updates, you’re not going to do that,” he says. “Since the market is moving that fast, it sometimes doesn’t make sense for the manufacturer to provide an update.”
Immediately following the news, Google said “We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device”.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Smartphone manufacturers & mobile providers
The manufacturers that have responded seem to be well aware of the bug and many of them have issued statements.
A spokesperson from HTC said that “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
Silent Circle posted on Twitter saying “We patched Blackphone weeks ago!”
Samsung said that “Google notified us about the issue, and we are working to roll out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an insecure mail or link.”
Google Nexus responded by saying, “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at [the Black Hat conference].”
The mobile phone service provider T-Mobile said that “These kinds of security fixes are usually released by our third-party device partners, so we’re working with them to ensure those security updates have been deployed.” They added that “You may wish to contact the device manufacturers directly, as they can tell you more about their specific plans for these security update releases.”
Whatever the outcome, Android users should exercise caution if they receive texts from unknown numbers, and should check the Android Central website for regular updates.