News Feature | August 18, 2015

US –Cert Warns Of Android "Stagefright" Vulnerability

Christine Kern

By Christine Kern, contributing writer

US –Cert Warns Of Android “Stagefright” Vulnerability

A vulnerability dubbed “Stagefright” has been detected in Android devices running Android versions 2.2 through 5.1.1_r4, according to US-CERT (United States Computer Emergency Readiness Team), which could allow an attacker to access multimedia files or take control of an affected device. The versions that contain the vulnerability comprise more than half of the Android devices currently in use — about 950 million devices.

The vulnerability is most readily exploited by receiving malformed text messages or luring vulnerable phones to booby-trapped websites.

Ars technica reported that the attack puts phones into the digital unresponsive state, making them unable to perform the majority of their functions, including making or receiving calls. Joshua Drake, vice president of platform research and exploitation at security firm Zimperium explained to ars technica that the most serious danger lies in the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs to launch the attack is the number for a particular Android phone. Via the MMS text, the hacker can execute malicious code on a vulnerable device without engaging the end user and without leaving a trace of the attack.

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited, “Drake explained on his company’s blog. “Unlike spear phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual — with a trojaned phone.”

Although an affected phone should be able to be revived by restarting it, a recent blog post by Trend Micro researcher Wish Wu said that a new vulnerability can also be exploited via malicious apps.

Regarding the severity of the vulnerability, Chris Wysopal, chief tech and information security officer at the application security firm Veracode, told Fortune, “This is Heartbleed for mobile,” These vulnerabilities “are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS.”