The Android Open Source Project (AOSP), the leading smartphone operating system, is built on tens of gigabytes of source code. In all of that code a media library called Stagefright is used to processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.
A leading Android security research firm found what is largely believed to be the worst Android vulnerability discovered to date. These issues start in Stagefright and critically expose an estimated 95% of Android devices, an estimated 950 million devices. This research found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.
So, Should you care?
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike other attack vectors that requires the victim to open a PDF file or a link sent by the attacker, this vulnerability can be triggered without any interaction whatsoever. So, yes, this is one to be concerned about!
Android and derivative devices after and including version 2.2 are vulnerable.
Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.
Mitigation of this vulnerability is being performed by device manufacturers and OEM’s. Slowly.
Until patched code is fully deployed, the good news is that there are several ways to mitigate this risk on newer android devices.
- Route all MMS messages through Google Hangouts.
- a. In Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded. Older devices don’t have this option, older devices are more exposed and at risk.
- Block unknown MMS messages using your enterprise MDM software.
- Several popular anti-malware tools for Android have classified this malicious behavior and implemented protection against this.
If you have any questions or concerns about mobile devices in your organization, contact CIT for expert IT help.