Yet another vulnerability of Android is exposed
While we know that any device can be hacked, we feel safe in the knowledge that it usually takes some kind of user participation to begin the process, like opening an errant link that’s clearly malware or something similar. A new Android exploit however, allows people to take over your phone by just sending an MMS message without any kind of user participation whatsoever – just need to receive a malware-ridden MMS and it’s all over, according to mobile security firm Zimperium.
The reason why this exploit is so effective is that Android’s own framework, a software library dubbed Stagefright, aids in the processing of the malicious content without user intervention. This is possible because Stagefright processes multimedia files, just like those in MMS, immediately after it receives it. And since Stagefright is written in C++, in a “near the metal” programming language according to Zimperium, it’s much more vulnerable to memory corruption compared to Android’s native Java language.
One silver lining is that before publishing their findings, Zimperium already reported the issue to Google back in April, and Google has taken steps to plug the vulnerabilities. The problem is that it now falls on Google’s manufacturing partners (i.e. the people who actually builds the phones) to roll out the fixes to their devices. The most vulnerable devices are ones that run Android 4.4 and below – ironically the phones that won’t be affected by the vulnerability are devices that run Android 2.2 and below.