Major flaw in Android
A mobile security firm is sounding the alarm on a flaw in Android that could potentially allow an attacker to gain control of a smartphone simply by sending a text message. What's scary about the threat is that in many cases, it doesn't require any interaction on the part of the victim -- in theory, an attacker could send a specially crafted media file by way of MMS to an Android phone while the owner is sleeping, take control, and delete the message before it can be seen. The user would continue to use his or her smartphone the next morning, not knowing that it's been compromised.
That's according to Zimperium, which has dubbed the exploit Stagefright. The firm said its VP of Platform Research and Exploitation discovered the flaw deep in Android's code base, and while it hasn't been exploited yet, the firm says it affects 95 percent of Android devices. Pretty scary when you consider than nearly 80 percent of all the smartphones in the world run Android.
"Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11 percent of devices) are at the worst risk due to inadequate exploit mitigations. If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse," Zimperium stated in a blog post.
Zimperium says it reported the vulnerability to Google along with patches, and that Google promptly applied those patches to internal code branches. However, it could take a long time before the majority of Android users are safe from the exploit.
"For the mobile devices without zIPS protection, fixes for these issues require an OTA firmware update for all affected devices. Such updates for Android devices have traditionally taken a long time to reach users," Zimperium added.
Furthermore, devices older than 18 months may never seen an update at all.
Android device owners who use Google's Hangout app for text messaging are the most vulnerable. As Zimperium explained to NPR, an attacker could hide malware inside a short video and text it to an Android device. When it's received, Hangouts instantly and automatically processes the video so that it's ready for viewing in the phone's gallery. This is how malware can sneak in without any user interaction.
For Android device owners using the default messaging app, they'd have to view the text message, though still wouldn't be required to play the video for the malware to be installed.
Follow Paul on Google+, Twitter, and Facebook
From maximumpc
from http://bit.ly/1eutMIc
