Multimedia text would compromise the device.
By Raif Karerat
WASHINGTON, DC: A major flaw in the Google’s Android mobile operating system has left nearly 95 percent of its users vulnerable to an attack delivered via a simple multimedia text, and there is no fix as of yet.
The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in “Stagefright,” an Android code library that processes several widely used media formats.
In a blog post published Monday, Zimperium researchers wrote:
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.
Drake told NPR that he originally informed Google about the exploit back in April and sent patches to fix the bugs. “
“Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” he said. “You know, that’s a very good feeling.” The inherent problem is that the Android OS is notoriously difficult to update unless carriers and phone vendors successfully coordinate to release the fixes.
In an emailed statement sent to Forbes, Google thanked Drake for reporting the issues and supplying patches, noting its manufacturer partners should deploy in the coming weeks and months.