Android is not perfect, and that is a predominantly known fact. It has its own vulnerabilities and bugs. But Google has high ambitions to make their mobile OS as secured as possible. But those ambitions just received a dent, when a bug discovered by security researchers at Zimperium, if exploited, could let attackers take complete control of a user’s Android smartphone.
The trigger of this security breach is nothing more than a simple malware-laden MMS video.
That’s right, just a teeny tiny MMS. If in the future, you get an MMS from an unknown source on your Android smartphone, it could very well signify that your security and privacy has already been compromised. And to make matters worse, according to reports, you don’t even need to do anything to get the hack under progress.
The hack is being referred to as “Stagefright.”, which is also the media library that Android uses to process video, and is the bit of code being exploited here. So no naming coincidences there.
Depending on the messaging app you currently have set as your default, action will be taken by your system. The worst case scenario is the Hangouts app which follows the pre-processing technique thus making it impossible to know whether you’ve got a malware-ladden MMS or not.
All devices should be assumed to be vulnerable
Drake, vice president of platform research and exploitation at Zimperium, told FORBES.
[…]trigger immediately before you even look at your phone… before you even get the notification,
he added regarding Hangouts.
Google is already tackling the flaw with all it’s got, and has already pushed out a patch to fix it to its hardware partners. Also apparently, Nexus and Blackphone users are lucky, as Drake told Forbes that they are already safe against some of the related flaws.
I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it
If you have a third-party manufactured phone, it’s a different story altogether. You are highly vulnerable, according to the report and it’s not yet confirmed as to when exactly these manufacturers (Samsung, HTC, LG, Xiaomi etc) will be addressing this issue.
However, rest assured though, since Google says it has already dispatched a fix to its OEM partners and would be available soon.