A security research company claims to have found a vulnerability baked into Android that could put 95 percent of devices around the world at risk.
Security research firm Zimperium has discovered a flaw that takes advantage of the media playback tool built into Android, called Stagefright. The flaw allows malicious hackers to send to an Android device a simple text message that, once received by the smartphone, can then give that person complete control over the vulnerable handset and steal anything on it.
A look inside the bug
The malware hides inside of a short video sent to a person's phone number, according to NPR, which reported on the bug on Monday. Zimperium discovered the issue in April and promptly informed Google. As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing is enough for malicious hackers to get their hooks into the platform and take control.
Exactly when the device will be exploited depends on the messaging platform a user employs. Those using the standard Messenger app built into Android will need to open the text message (but not necessarily watch the video) to fall victim to the trap. Those who are running Google's Hangouts app to handle text messaging, however, need not even open the application, according to Zimperium. As soon as Hangouts receives the text, it processes the video and the hacker is in. Perhaps even more troubling, Google's Play app marketplace says Hangouts has been downloaded between 1 billion and 5 billion times.
So far, Zimperium told NPR, the flaw its team discovered has not been exploited, but in a blog post on its own page, the company said that 95 percent of Android devices worldwide are vulnerable. The company called Stagefright the "Mother of all Android Vulnerabilities."
Android's security issues
Android has been racked with security flaws for years as malicious hackers increasingly target the mobile operating system. In the first quarter, 99 percent of mobile malware targeted Android devices, according to security firm F-Secure. Android's allure for malicious hackers has everything to do with its popularity. In 2014, over 1 billion Android devices shipped worldwide, according to researcher Strategy Analytics. The company expected that number to only rise in 2015 and beyond as more people around the world get their hands on new devices.
In May, research firm International Data Corporation (IDC) said that Android's market share by the end of 2015 will reach 79.4 percent, or 1.15 billion shipments, topping Apple's iOS, which will only muster 237 million device shipments and 16.5 percent market share.
In the vast majority of cases, malicious hackers focus on operating systems that are most popular to maximize their market. Although there are some malware makers that want to kill devices, most create malicious software with the sole intent of stealing data and using it to make money. Accessing data from a smartphone may give malicious hackers all they need to access bank accounts, credit card information, or anything else that may be of financial value.
To compound the threat to Android devices, Google is largely powerless when it comes to actually getting patches to users. Vendors, including Samsung, LG, Huawei, and others, as well as wireless carriers, all have control over how updates are sent to other products.
Once Android is bundled into a product, it's typically been modified by both vendors and carriers. By then, Google has no control over or access to the operating system. When security updates are required, Google can only send over a patch. After that, it's up to the vendor and/or carrier to push those updates to phones.
Zimperium, which sent a patch to Google that the Android maker has accepted, told NPR that he estimates only 20 percent to 50 percent of Android devices currently in the wild will actually get the updates due to vendors being slow to react -- if they react at all.
Google acts swiftly
A Google spokeswoman didn't say in a statement to CNET what vendors may be ready to update their devices or have plans to do so, but she did acknowledge that they are armed with the patches they need to safeguard devices.
"The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," the spokeswoman said. "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."
Acknowledging that Android has become a destination of sorts for malware, Google in Juneannounced a rewards program that pays researchers cash for finding bugs and holes that may be exploited in the operating system. Google has offered similar rewards programs to researchers for years with great effect. The company has doled out major rewards to researchers that find flaws or security vulnerabilities in its Chrome browser and other properties it owns. In 2013, one security expert going by the name Pinkie Pie earned $50,000 for finding a particularly nasty bug in Chrome. Last year alone, Google paid out over $1.5 million to security researchers finding flaws in Chrome and other Google products. In total, the company has paid out $4 million since its bug bounties started in 2010.
While Zimperium says the risks are high for Stagefright to be exploited, and it's possible that malicious hackers will soon take advantage of the flaw, Android device owners largely sidestep potential malware. In April, Google issued an Android State of the Union report and claimed that malware installs on Android devices fell by 50 percent in 2014. By the end of the year, Google said that fewer than 1 percent of all Android devices had "potentially harmful applications" installed on them.
According to Zimperium's blog, it will show exactly how Stagefright works and can be exploited at the Black Hat hacker conference in Las Vegas starting on August 1.
No comments:
Post a Comment