Stagefright Attack : It takes only a single text message to hack an Android Smartphone
Over 95 percent of Android smartphones in circulation or roughly 950 million smartphones may be vulnerable to a unique but critical hack attack called Stagefright.
Joshua Drake from Zimperium Mobile Security discovered six + one critical vulnerabilities in the native media playback engine called Stagefright. He calls this weaknesses ‘Mother of all Android Vulnerabilities’.
Drake said that the vulnerabilities can be exploited by sending a single multimedia text message to an unpatched Android smartphone. While the exploit is deadly, in some cases, where phones parse the attack code prior to the message being opened, the exploits are silent and the user would have little chance of defending their data.
Stagefright is a native media playback tool used by Android and all these weaknesses reside in it. Drake states that they are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data.
The following design chart explains the working of Stagefright |
According to Drake, all that the potential hacker needs to do is to send out the exploits to the would be mobile phone numbers. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright’s permissions.
Once the vulnerability is exploited, the hackers can access almost anything including recording of audio and video, snooping on photos stored in SD cards. Even the humble Bluetooth radio can also be hacked via Stagefright.
Depending on the MMS application in use, the victim might never know they had even received a message.
The vulnerabilities are so critical that sending an exploit code to to the victim’s Google Hangouts would “instantaneously trigger the exploit even before the user can even look at the smartphone or before you even get the notification”.
Another interesting aspect of the exploit is that once the it has been delivered, the hacker can delete the message before the user had been alerted about it, making attacks completely silent.
Drake will give the full disclosure along with Proof of Concept at Def Con on 6th August. He stated to Forbes that he had reported about the bugs in April this year and Google has sent out the patches to its smartphone manufacturing partners.
Drake stated that a total of seven vulnerabilities had been sent to Google by 9th April, 2015 and Google had reported back to him that it had scheduled patches on May 8th 2015. Further, Google assured Drake that all future Android versions will be released pre-patched against these vulnerabilities.
However as is the case with any Android smartphone update, the smartphone manufacturers rarely pass on the patches to the end users of the smartphone. Particularly the smaller manufacturers who make localised Android smartphones. As such, it can safely be assumed that almost 950 million Android smartphones and tablets in circulation may be exploitable using the Stagefright vulnerability.
“All devices should be assumed to be vulnerable,” Drake told Forbes. Drake says that only Android phones below version 2.2 are not affected by this particular vulnerability.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it,” Drake added.
In an emailed statement sent to Forbes, Google thanked Drake for reporting the issues and supplying patches, noting its manufacturer partners should deploy in the coming weeks and months.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include anapplication sandbox designed to protect user data and other applications on the device,” a spokesperson said.
0 comments: