This morning, the researchers at Zimperium Mobile Security revealed a new texting vulnerability in Android devices. It is named “Stagefright” and it targets the multimedia messaging system. As of now, all the devices running on pre-Jelly Bean versions of Android can be affected by this vulnerability, and that's roughly 950 million Android devices around the world.
Google has already released a patch for the vulnerability, but the manufacturers are yet to push the update to their customers.
More details about the vulnerability have not been provided by the Zimperium, as they are pending a more detailed presentation at the Black Hat conference next month. On the surface, it looks like the attacker could target how the Android processes an MMS video. The attacker could send a malicious code embedded in the video, and once the user views that video, the attacker can exploit the vulnerability and take hold of the device, controlling different functions such as the microphone, cameras, etc.
In a worst case scenario, the code would execute on the device whether the user interacts with the message or not.
There might be difficulties for all the Android device users to receive the patch for this vulnerability considering the fact that the entire Android ecosystem is fragmented. Recent data suggests that out of all the Android devices in the world, only 12 per cent of them are running on the latest version of Android.
David Kennerley, threat research manager at cybersecurity firm Webroot: “We should all be seriously concerned about this newly discovered vulnerability. It affects almost all versions of Android, from version 2.2 to the latest version (5.1) which could be as many as one billion devices open to exposure.
"Specially crafted malware hidden inside multimedia message (MMS) can be used to stealthy exploit a vulnerability in the Stagefright library. And the scary part is that no user interaction is needed at all – preview generation is automatic upon receiving the MMS.
"Google has patches available for support Android OSs it continues to support. But the bad news is that most smartphone manufacturers will need to implement the new code into their own Android OS flavours. This means manufactures are in complete control of when users will receives these critical updates. Past experience tells us some customers could be waiting a very long time – possibility forever.”
"Smartphone manufacturers should take this as an opportunity to show how serious they are about defending the security of the customers who have already and deploy credible fixes asap. Something tells me this isn’t a story that isn’t going to go away anytime soon."