Critical Android Texting Vulnerability Could Leave Many at Risk

by Matt Klassen on July 30, 2015

Last year more than 1 billion Android-powered devices were shipped around the world, and a security research company has found a critical vulnerability that affects 95 percent of them. Dubbed the “mother of all Android vulnerabilities,” mobile researcher Zimperium claims to have found a flaw in Android’s default media playback tool, called Stagefright, one that hackers could exploit with a simple text message, that once received, would give cybercriminals complete control over and access to the Android device.

So far the vulnerability has yet to be exploited, Zimperium told NPR, but it did say that the vast majority of Android phones are the world are at risk, meaning it’s just a matter of time before digital ne’er-do-wells discover this as well (like right now).

The news of this critical vulnerability in Android really comes as little surprise though, as the world’s most popular mobile operating system is also the world’s most insecure, as reports indicate that 99 percent of all mobile malware targets Android and so far Google has shown little concerted interest in solving the problem.

So exactly how does this critical flaw work? As CNET’s Don Reisinger explains, “The malware that would exploit the Android vulnerability hides inside a short video sent to a person’s phone number… As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control.”

Exactly how the malicious text is released depends on the messaging service that users employ. Those using the default Messenger app, strangely enough, seem to have the most protection, as they actually need to open the text (although need not open the video itself) to infect the device. Those using Google Hangouts are at far more risk, as they need not even open the text, for as soon as it’s received Hangouts processes the video and the flaw is exploited.

According to the report, Zimperium discovered the flaw in April, and promptly informed Google of the issue. The firm then supplied Google with a fix for Android, which the company accepted, and waited until not to release the details. The company also noted that it will unveil the exact details of this exploit at the annual Black Hat hacker conference starting August 1st.

Google as of yet has said little about this particular vulnerability, and maintains that it is diligently working on improving the security of Android users.

“The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device,” a Google spokeswoman said. “Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”

Of course history has shown us that Android is indeed a breeding ground for malicious software and a hotbed of flaws and vulnerabilities, and given the fact that Google largely relinquishes control over Android updates to third-party phone makers means the search engine giant will continue to stand powerless to shore up the weaknesses in Android; weaknesses that one day may very well be our undoing.

Did you like this post ? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Comments on this entry are closed.

Previous post:

Next post: