Flaw leaves Android phones 'vulnerable to hack'
A security flaw has been found in Android smartphone and tablet infrastructure that leaves 95 percent of users open to attack and exploitation.
Researchers at Zimperium zLabs reported the bug in April and it has been described as the worst Android flaw ever uncovered.
Joshua Drake, vice president of the hacking firm, estimates around 950 million Android users have been left vulnerable by the bug found in Stagefright – a media tool playbook tool.
"All devices should be assumed to be vulnerable," Drake told Forbes magazine.
The hackers said the bug is particularly concerning because all someone needs to exploit an Android user is their phone number – and they might not even be aware they've been hacked.
"The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep," Drake told Business Insider.
Typically, gaining access to a device required the user to unwittingly open the door by downloading a virus attached to a program or a malicious email. But through the Stagefright exploit, no user interaction is required.
"This is different from spear-phishing attacks, which require users to open an email attachment or click on a link for the attack to be successful. It amounts to an attacker sending a media file via MMS, which again requires no action from the user.
"Once an attack is complete, the hacker has access to many of the phone’s applications, notably the audio and camera," Drake said, adding that users could be spied on or have their entire phone cracked open by creating "elevated privileges".
The firm said it was yet to see evidence of the Stagefright bug being exploited "in the wild" and they have sent patches to Google, which they hope to see deployed soon.
A Google spokesperson thanked the white-hat hackers for their work, telling Forbes they were looking to roll patches out to partners over coming weeks and months.
"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult.
"Android devices also include an application sandbox designed to protect user data and other applications on the device," the spokesperson said.
The Nexus 6 running up-to-date firmware was patched for some issues but not all, Drake said, but phones running anything prior to Jelly Bean 4.1 would not prevent a Stagefright MMS attack.
Zimperium zLabs has not published all the details of the Stagefright exploit, but their research will be presented in full at two hacking conferences, Black Hat USA and DEF CON 23, early next month.
