Researchers have uncovered yet another security bug bit. This one leaves 95 percent of Android smartphone and tablet users open to an attack; all it takes is a simple multimedia text and you don’t even have to open it.
According to Business Insider, Joshua J. Drake, Zimperium zLabs vice president of platform research and exploitation, said that he uncovered the vulnerability, codenamed Stagefright.
The bug exists in one of the media libraries used by Android to display and read common file formats, like PDFs.
Drake explained: “As a result of hastily written code, there are a number of security vulnerabilities in Android devices. One piece of software in particular, called Stagefright, has errors in the code that let attackers send malware directly to any device where they know the phone number.”
“The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep,” he added.
Drake dove into the deepest corners of Android code and discovered what we believe to be “the worst Android vulnerabilities discovered to date.” These issues in Stagefright code critically expose 95 percent of Android devices, an estimated 950 million devices, Zimperium wrote on its Web page.
Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7, found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.
Drake told Forbes that while Google has sent out patches to its partners, he believes most manufacturers have not made fixes available to protect their customers. “All devices should be assumed to be vulnerable.”
He believes as many as 950 million Android phones could be affected, going on figures suggesting there are just over 1 billion in use. Only Android phones below version 2.2 are not affected, he added.
Drake told Business Insider: “On discovering the Stagefright vulnerability, we alerted Google and provided patches for the problem to help them begin the lengthy update process.”