Stagefright bug makes nearly 1 billion Android phones vulnerable, Zimperium says
Researcher says software bug is 'extremely dangerous' and hard to detect after the fact
American I.T. firm Zimperium says it has discovered a bug in Android's operating system that makes 95 per cent of all Android devices vulnerable to someone else gaining control of the device and its contents without the user ever knowing.
Researcher Joshua J. Drake at IT firm Zimperium says he uncovered a flaw in a piece of software code installed on almost all Android devices, named Stagefright.
- Everything you need to know about the Heartbleed security bug
- Heartbleed bug no danger to bank websites, bankers group says
Stagefright is a benign piece of software code that governs how some mobile devices receive and process certain media files. In a posting on the company's website Monday, Drake says he has uncovered a vulnerability in the code that would allow an unauthorized user to send a "specially crafted media file" via text to any Android-powered smartphone they know the number for.
"A fully weaponized successful attack could even delete the message before you see it," Zimperium said. Unlike other vulnerabilities that require the user to download a suspicious file,"these vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited."
Once the device has been exploited, a malicious user would have access to the phone's data and other apps, including the camera and microphone.
Android devices after and including version 2.2 are vulnerable, Zimperium said.
"Devices running Android versions prior to Jelly Bean [roughly 11 per cent of devices] are at the worst risk due to inadequate exploit mitigations," the company said. "If 'Heartbleed' from the PC era sends chill down your spine, this is much worse."
The company says it brought its preliminary findings to Google, which released the following statement: "This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users."
"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat."
Google has the capacity to send software updates directly to Nexus devices and various applications downloaded through Google play, but updates to the operating systems of other Android-powered phones are distributed through manufacturers themselves, in conjunction with wireless service providers.