Technology / Millions of Android users at risk as Stagefright attack code goes public
Millions of Android users at risk as Stagefright attack code goes public
10 September 2015 |
Details of an attack code allowing hackers to exploit a key Android vulnerability have been released to the public, putting hundreds of millions of Android users at risk.
Critical flaws found in the Stagefright bug earlier this year mean that the 950 million global Android users phones are vulnerable to attack.
The code’s existence was made public in late July, but it has now been released to the public by security firm Zimperium.
Despite requests from Google for the security firm to delay its release of the information, Zimperium released a proof-of-concept code exploiting some of the bugs in question yesterday.
The script published by Zimperium enables attackers to take pictures and remotely listen to audio, although it does not work against Android versions 5.0 and above.
Developers at Google, carriers and handset manufacturers have been working on patches over the past four months but reportedly struggled to distribute them to the millions of affected Android users as the code was revealed.
Fixes distributed in July, which automatically blocked information and images sent in MMS messages on Android, were heavily criticised as “little more than Band-Aids”.
Other patches disseminated at the time proved to be insufficient, with users’ mobiles still open to attack.
Attackers are able to execute malicious code through sending MMS messages to any vulnerable Android phone number.
No user end action is required, and individuals may not even be aware that their mobile phone has been breached.
Google and Samsung have reacted by promising to introduce monthly patch cycles for some of the affected models.
Photo © Kham Tran (CC BY 2.0). Cropped.