Early today, security researchers announced their discovery of six massive software vulnerabilities which leave up to 95% of all Google Android devices at major risk of being hijacked by hackers. (The 95% number is based on the estimate that there are currently 1 billion Android phones and tablets in the world, with 950 million of them at risk — any device running version 2.2 or later is vulnerable.)
Joshua Drake from Zimperium zLabs discovered the critical flaws inside the source code for AOSP, the Android Open Source Project.
Zimperium's Z Team announced the discovery in a Monday blog post:
Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. … [Drake] discovered what we believe to be the worst Android vulnerabilities discovered to date …. multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.
No protection from hack
In other words: Stagefright leaves your Android device so vulnerable that hackers could (at least in theory) hijack your device without your knowledge and without any activity from you.
Most “beware of the hacker” news articles you read advise you to protect yourself by avoiding certain actions: do not download any unsolicited file attachments, do not click on strange links in emails or texts, do not return hang-up phone calls from numbers you don't recognize.
What makes Stagefright so scary is that there's no similar “Avoid this and you'll be safe” action: in order to seize control of your device, a hacker need only send you a file containing malicious code – and can then take control whether you respond to that sent file or not.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Drake said. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
If this happens, the hacker has pretty much complete control over the device, including camera and audio recording functions – which means the hackers can spy on anything in range of the device. Furthermore, Drake says, “Sophisticated attackers could also create what we call ‘elevated privileges,’ which would provide complete access to the phone’s data.”
The one bit of good news is that so far, there doesn't seem to be any evidence indicating that hackers have taken advantage of Stagefright. Drake said Zimperium has sent the necessary patch to Google.
However, given the structure of the current cell phone industry, Google itself can't really get the patch to customers who need it – the individual phone and tablet manufacturers whose devices run on Android (versions 2.2 or later) do, and as Vice's Motherboard blog noted, “it’s anyone guess when that’ll happen. Historically, some manufacturers have taken months to issue even critical patches. At times, for devices older than a year or 18 months, patches never come.”
Joshua Drake ended his Zimperium post with the suggestion that consumers “contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated [with] the requisite patches,” and an additional plea to the makers and sellers of such devices: “If you’re part of any of the various parties that ship derivative versions of Android that might be affected, we encourage you to reach out to obtain the patches from us directly.”