On Monday, enterprise mobile security firm Zimperium said that 95 per cent of android devices could be at risk from one of “the worst Android vulnerabilities discovered to date”. “Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs”, Trend Micro said, adding that this vulnerability is similar to the above-mentioned Stagefright vulnerability.
Advertisement
The vulnerability is said to be present in devices loaded with Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop).
All the hacker needs is the person’s phone number. One of the things that mitigated the damage from Heartbleed was that it took a while for hackers to find it, giving the white hats a little time to distribute software updates. That level of control would certainly seem to imply that raiding the data on the phone, using the owner’s identity to spread malware to his contacts, or using the phone as a crowbar to penetrate networks it connects to, could also be on the menu. By clicking the link or opening the attachment a person can be infected.
“We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen”, Trend said. This can gain access to the Android source code without any user interaction.
“A fully weaponized successful attack could even delete the message before you see it. You will only see the notification”. What’s more, in many cases, Stagefright attacks require no end-user interaction at all for the vulnerability to be exploited.
Advertisement
According to CNET, Zimperium told National Public Radio that hackers have not taken advantage of the Android flaw so far. However, it’s worth noting that once the device is unresponsive; how the attackers will ask for ransom from affected Android users. He negotiated a 90-day embargo before he went public, giving the company a long headway to ship a fix to users (Google’s in-house security researchers, Project Zero, apply the same 90-day warning to other vendors when they find bugs in products from companies such as Apple and Microsoft.). It’s worth noting that majority of Android devices, nearly 90 percent, are now running these versions, according to the Google’s Android distribution numbers.
