It wasn’t too long ago that Apple was dealing with its own messaging exploit, and it appears that there’s a way to exploit Android through messaging as well. According to one security researcher, it appears that with a specially crafted multimedia message (MMS), a good percentage of Android phones can be exploited.
According to the researcher, all a person needs is an unsuspecting victim’s phone number. The exploit was developed by Joshua Drake, vice president of platform research and exploitation at Zimperium, a mobile security firm. Drake apparently found a number of vulnerabilities in an Android component called Stagefright. It’s used to process, play, and record media files and some of the vulnerabilities in the code allow remote code execution. The trigger comes from receiving an MMS file with the media file being downloaded or played through a web page with the file embedded.
According to Drake, there are multiple potential angles of attack because media content from any source will run through that framework. Stagefright is also used to automatically generate thumbnails or extra metadata information from video and audio files. That information can include channels, frame rates, height, width,w and so on.
What this potentially means is users don’t even have to run the malicious code for it to activate and simply copying such files in the file system could cause the exploit to happen. The kicker here is that the researcher doesn’t know how many apps rely on the Stagefright component and the exploit doesn’t require any interaction from users.
But it’s not all doom and gloom as the researcher created the necessary patches in April and early May and has shared them with Google. According to the researcher, Google took the matter extremely seriously and applied the patches internally to its code within 48 hours.
Drake estimates that with the slow update process from Android manufacturers, over 95 percent of Android phones and tablets are still affected and out of Google’s own Nexus family — bought for their speedy updates straight from the search giant — the Nexus 6 is the only to have received the patches.
It should be noted that it’s up to the OEMs to push out updates once Google makes the code available and the vulnerabilities found affect devices running Android 2.2 or higher. Google has confirmed that OEMs have received the necessary patches while thanking Drake for his contribution.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,” the company said. “Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Depending on the device, attackers can use the exploit for a number of things including gaining access to cameras, microphones or external storage. They won’t be able to install malicious apps or gain access to internal data.
These patches have yet to hit AOSP so third party ROMs like CyanogenMod could be affected. However, unlike updates coming from OEMs, CyanogenMod’s vast array of developers could have similar patches to the code weeks to months before official updates for devices are released.
Drake also shared the patches with other parties including Silent Circle and Mozilla with Mozilla fixing it in Firefox 38. He plans on presenting more details regarding the vulnerabilities and exploits with a proof-of-concept exploit code at the Black Hat Security conference on Aug. 5.Source: IT World