vulnerable to a major flaws reported in the famous Google’s operation
system by security bug. This flaw prevails amongst versions 2.2 to 5.1 of
Android operating system and is affecting more than 950 Million Android
smartphones and tablets.
In this attack, the attacker doesn’t target the victim with malicious
documents or scripts that need to be executed for successful exploitation.
Rather the malicious code would take over instantly, the moment you receive
a text message, prior to ever opening the received message..
Your mobile number id all that the hacker requires to target your android
device. The hacker could then send the crafted message that will trigger
this vulnerability and execute malicious code on the vulnerable device.
The severity of this flaw lies in that no end user action or interaction is
at all required for exploitation purposes.
“This happens even before the sound that you’ve received a message has even
occurred,” says Joshua Drake, security researcher with Zimperium.
Dubbed as the Stagefright vulnerability, the following CVEs have been
assigned to this critical weakness in the popular Android operating system:
– CVE-2015-1538
– CVE-2015-1539
– CVE-2015-3824
– CVE-2015-3826
– CVE-2015-3827
– CVE-2015-3828
– CVE-2015-3829
Zimperium first contacted Google regarding the vulnerabilities on April 9.
But it’s been 109 days, and a fix still isn’t largely available. That’s why
Zimperium went public with the news.
Google reported that the patched the code has been sent to device
manufacturers, but devices require over-the-air updates from manufactures
such as Samsung or Motorola to update their customers’ phones.
As a result millions of devices remain exposed to this critical Stagefright
attack.
