The San Francisco-based Zimperium Mobile Security warned that a flaw in the Android media library Stagefright has left 95% of an estimated 950 million Android-based mobile devices susceptible to remote code execution vulnerabilities.

“Built on tens of gigabytes of source code from the Android Open Source Project, the leading smartphone operating system carries a scary code in its heart,” Zimperium stated in its blog. “Named Stagefright, it is a media library that processes several popular media formats. Because media processing is often time-sensitive, the library utilizes native code (C++), which is more prone to memory corruption than memory-safe languages like Java.”

Zimperium added, “Attackers only need your mobile number to remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification.”

Joshua J. Drake, Zimperium zLab's vice president of platform research and exploitation, has dived deep into Android code and discovered what Zimperium believes to be the worst Android vulnerability discovered to date. Drake's research, scheduled for presentation at Black Hat USA on August 5 and DEF CON 23 on August 7, found multiple, exploitable remote code execution vulnerabilities, the worst of which requires no interaction with the user.

These vulnerabilities are extremely dangerous because they do not require any action from the victim, the security firm noted. Unlike with spear-phishing, attackers do not require victims to open a bogus PDF file or link – the fraudster can trigger the vulnerability and remove any trace of compromise without the victim's knowledge.

Android and derivative devices running on version 2.2 and later versions are vulnerable to these attacks. Devices that run Android versions older than Jelly Bean (which comprises roughly 11% of devices) are at the highest risk due to inadequate exploit mitigations.

Zimperium not only reported the vulnerability to Google teams, it also submitted patches. The company noted, “Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment.”

“It's good that Zimperium found these quite severe vulnerabilities, but it's not good they are going to be published at Black Hat,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based security awareness training provider Knowbe4, said. “That allows the bad guys to reverse engineer these vulnerabilities and infect the Android phones of all the customers of phone carriers that are slow with updates, or provide no updates at all, which happens more often than you think. Having your smartphone owned while logging into your bank account is a recipe for disaster.”

Sjouwerman said he strongly recommends using two-factor authentication for any financial transaction over the Internet, especially over any kind of wireless device.

Malware increasingly threatens mobile phone users. A May Symantec security report revealed that 17% of Android apps (nearly one million total) are actually malware in disguise. Most identified mobile malware tries to steal users' personal data, the security firm said. One third, or 2.3 million of 6.3 million Android apps, are grayware or malware apps. While these applications do not harm a smartphone, they are mainly intrusive because they track user behavior for the primary purpose of placing advertisements, Internet security expert Ali Raza said in a LIFARS newsletter.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).