Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices.
You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used to spy on you, and your files siphoned off to faraway dark corners of the internet.
That's all according to security researchers at Zimperium zLabs. The long and short of it is: if you've got an Android Jellybean or newer device, you're at risk of someone hijacking your phone, and if you're running an Android version older than Jellybean, you're completely screwed.
We're told a flaw exists in a software library called Stagefright buried deep inside Android: the software, written in C++, is susceptible to memory corruption, and after trawling through the code, the researchers found a very worrying bug.
When an MMS message containing a video file is sent to an Android device, Stagefright will be used to generate a preview of the vid. If the message is specially crafted, it will trigger a bug in Stagefright that executes malicious code hidden in the video on the handset. No user input is required to exploit this remote-code execution vulnerability – the victim doesn't even have to watch the video, just simply receive it on his or her phone.
Once up and running, the evil code can delete any evidence of the original message – or leave it be so that if the owner tries to view the video again, the code is run for a second time.
The security hole affects almost all versions of Android, from version 2.2 right up to 5.1, the latest version. If you're running the latest build of Silent Circle's Blackphone, you're safe because its flavor of the Android operating system is especially hardened, and a patch to address the vulnerability is already available for the handsets.
Android Jellybean or later
If you're running Android Jellybean 4.1 or later – which is about nine in ten devices – you'll get a degree of protection: apps are run inside their own individual sandboxes to prevent them from accessing each other's private data. This should, for example, shield your banking app from malware running inside another sandbox.
The malicious code delivered by the video MMS message should be stopped dead completely by the sandbox walls. However, it's not impossible for the malware to break out of its prison and access the rest of the device. Also, if the booby-trapped video infects your messaging app, then your messages and conversations within the messaging app's sandbox are at risk, we assume.
On some devices, Stagefright runs with system-level privileges. This means the library, and the malicious code that exploits it, is just a step away from the all-powerful root user, and has enough access rights to monitor the mobile's communications. In this case, the malware can steal copies of all kinds of data from the smartphone.
Even if the malicious code remains trapped inside a sandbox, it can still access the camera, microphone, and external storage, which is not good.
Any phones running Android older than 4.1 – that's about one in ten devices – are entirely at the mercy of the malicious code, and can be completely compromised and spied upon. There are little or no protection mechanisms.
"We not only reported the vulnerability to the Google teams, but also submitted patches," Zimperium stated on its website on Monday. "Considering the severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours."
Joshua Drake, Zimperium's veep of platform research and exploitation, will present full details of the vulnerability at next week's Black Hat and DEF CON security conferences in Las Vegas. He is expected to demonstrate that the aforementioned Stagefright programming blunder is one of half a dozen critical security bugs in Android that can be used to attack just shy of a billion Android devices.
Drake also says Google paid him for the flaw's details and patches, but not very much.
Google rewarded me $1,337 for these patches. That's after I talked them up from $1,000. Now Android has a VRP!— Joshua J. Drake (@jduck) July 27, 2015
So Google has security patches prepared, all ready to install over-the-air to your gadget; so far, so good – but only if you're using a Google Nexus phone. For everyone else, this could be a serious problem.
Smartphone manufacturers are infamous for being slow to update the software on their customers' handsets. Many smartmobe users never see an Android upgrade, as shown with the spread of the latest build – Android 5, aka Lollipop – which was released in November 2014, but is still only on just over 12 per cent of handsets.
So you may never see a security update for your phone to fix this rather annoying flaw, rendering your handset permanently at-risk of infection (unless you root your handset and install your own flavor of Android, like Cyanogen.) Your only solution is to buy a new smartphone, which is exactly what the manufacturers want.
lol when ur Jeep gets updates faster than ur Android phone— InfoSec Taylor (@SwiftOnSecurity) July 27, 2015
(There are a couple of workarounds: one is to root your Android mobile and disable Stagefright. Another is to remove or disable Google Hangouts, the default messaging app on Android, which processes video messages automatically. Even without Hangouts, if you receive a booby-trapped MMS and accidentally view it, you'll still be infected. Finally, you could tweak your carrier settings to not receive MMS texts.)
"We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," Google said in an email to The Register.
"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."
Finally, make sure you're running Firefox 38 on your Android device: the web browser is also vulnerable to remote-code execution via malicious videos embedded in web pages, and the latest version fixes that. ®