A dependable mobile security company backed by the likes of Samsung, Telstra, Sierra Ventures and Stephen Northcutt has just proclaimed that there is a unicorn right in the heart of the Android operating system developed by Google.
At the center of this “unicorn” is a code named Stagefright. And it exposes the Android system’s vulnerability more than anyone thought possible as Zimperium Mobile Security has just found that it is “prone to memory corruption than memory-safe languages like Java.”
In the company’s blog, the Z Team explained that Zimperium zLabs Vice President of Platform Research and Exploitation Joshua J. Drake realized that anyone can get remote access into someone’s Android smartphone, allowing a hacker to gain “remote code execution privileges merely by having access to the mobile number.”
Moreover, the Z Team believes, “The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers.” This is believed to be the worst vulnerability issue of the Android operating system to date, affecting as much as 95% Android devices. This, in turn, poses security implications to about 950 million devices dependent on Android.
To make things worse, an attack on your smartphone can take place without the user even knowing it. Let’s just say smartphone attacks can be stealthy. And all a hacker needs to infiltrate your smartphone is your mobile number.
As the Z team explains, “Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Moreover, the Z team has also said that devices with the following CVE numbers are particularly at risk: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.
To begin addressing this security risk, Zimperium said it has already reach out to Google who, in turn, immediately “applied patches to internal code branches within 48 hours.” In addition, Zimperium is confident that its advanced Enterprise Mobile Threat Protection solution (zIPS) is more than capable of combating Android’s Stagefright vulnerability.
Meanwhile, Zimperium’s Drake will also be discussing Android’s Stagefright problem during Black Hat USA on August 5 and DEF CON 23 on August 7.