5 Fast Facts On The Android Stagefright Vulnerability

Security After Stagefright

It's the week before Black Hat, which means researchers are beginning to tantalize the security industry with major vulnerability findings that they will announce at the show. In what it is calling the "Mother of all Android Vulnerabilities," Zimperium zLabs detailed in a blog post Monday a series of vulnerabilities in Android's Stagefright multimedia playback tool that could allow hackers to access a user's mobile device with only the person's mobile number (and no need for the user to click on a link or download a file, as in a phishing attack).

Here are the fast facts you need to know to get up to date on this new mobile vulnerability.

Setting The Stage

Before diving into this particular vulnerability, it's important to review some background on security and the Android operating system. According to the Verizon Data Breach Report, issued in April, mobile still isn't the "preferred vector for attacks," with only 0.03 percent of smartphones hit by some form of malicious malware a week. That being said, Android was by far the platform of choice for hackers and malware, with 96 percent of mobile malware targeted at phones running that operating system and more than 5 billion downloaded applications vulnerable to attack, according to FireEye data in the report.

What's Vulnerable?

Zimperium zLabs researchers found a series of vulnerabilities in Android's Stagefright native media playback engine. The vulnerability allows hackers to send a multimedia file via MMS to a user, which is automatically opened by Stagefright. From there, a hacker could remotely execute code that would give the hacker potential access to user information accessible by Stagefright (including photos, video, Bluetooth and more) and give the hacker ability to write new code to the device.

Why Should I Care?

What makes this vulnerability a little different from more common phishing or spear-phishing attacks is that attackers need only a user's mobile number to execute the attack -- they don't need a user to open the multimedia file or message.

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual -- with a trojaned phone," a blog post about the findings said.

Who Does It Impact?

The vulnerability is present in 95 percent of Android devices, around 950 million devices, the blog said. Devices running older versions of Android (before Jelly Bean) are particularly vulnerable because of "inadequate exploit mitigations," it said.

"If 'Heartbleed' from the PC era sends chills down your spine, this is much worse," the blog post said. "The targets for this attack can be anyone from Prime Ministers, Ministers, Executives of companies, Security Officers to IT Managers and more, with the potential to spread like a virus."

Now What?

Zimperium reported the vulnerability to Google and also provided a patch. The blog post said that Google has already applied the patches to its internal code branches, but the vulnerabilities will also require an OTA firmware update.

"We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action," the blog said. "If you’re an end user or enterprise, contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated with the requisite patches. If you’re part of any of the various parties that ship derivative versions of Android that might be affected, we encourage you to reach out to obtain the patches from us directly."