A simple test message or an SMS could allow a hacker to break in and ultimately take full control of your Android-powered smartphones because of a flaw in the world's most popular operating system, warned San Francisco-based mobile security firm Zimperium.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Ziperium said in a blog posted on its web site. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual - with a trojaned phone,"
Zimperium identified the Android called "Stagefright" at the heart of the problem. The mobile security firms Stagefright allows for automatic pre-load of video snippets attached to messages that hastens download of video clips.
Zimperium researcher Joshua Drake said that the issues in Stagefright is "the worst Android vulnerabilities discovered to date" as it exposes some 95% of Android-powered devices, estimated to be around 950 million devices.
With this Android flaw, hackers can exploit device's vulnerability by hiding a malicious code in video files and can activate it even if the user does not open or reads the message. The hacker can then take full control of the smartphone, Zimperium reiterated.
"The targets for this kind of attack can be anyone," Zimperium said and added, "These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited."
Zimperim said Drake's findings would be presented at Black Hat USA on August 5 and DEF CON 23 on August 7. It added that Stagefright exposes an Androide device "to multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction."
Fortunately, Zimperium said it reported the issue to Google and provided the portal giant with patches to resolve the problem and prevent hackers from breaching into Android devices.
The company further stated, "In this unique scenario, Zimperium not only reported the vulnerability to the Google teams, but also submitted patches. Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment."
Zimperium added that hackers may have not yet discovered this particular flaw in the Android system and has not taken advantage of the Stagefright vulnerability.