“Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday,” Dan Goodin reports for Ars Technica.
“The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in ‘Stagefright,’ an Android code library that processes several widely used media formats,” Goodin reports. “The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.”
“Drake said all versions of Android after and including 2.2 are potentially vulnerable and that it’s up to each device manufacturer to patch the bug. So far, very few devices have been patched, leading him to estimate that about 95 percent of devices — or about 950 million of them — are currently susceptible,” Goodin reports. “Even Google’s Nexus 5 handsets, which typically receive security fixes long before most other Android handsets, remain vulnerable.”
Read more in the full article here.
MacDailyNews Take: Smirk.
You know who loves Android the most? The U.S. NSA.
Like Windows before it, Android is the NSA’s endless playground.
SEE ALSO:
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
[Thanks to MacDailyNews Reader “Hellfish13” for the heads up.]
From today’s Christian Science Monitor…
“But perhaps more concerning than this flaw is the fact that Stagefright seems so poorly coded that it’s ripe for other major security issues, says Joshua Drake, senior director of platform research and exploitation at the cybersecurity analytics firm Zimperium.”
Android users are poor suckers fooled into buying a POS designed by Google. 😛
“The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.”
I suppose that would be bad for those using MMS.. For me it was an annoying addition to SMS requiring cellular data so I have MMS set to only let me know someone tried to send me a message and have the message forwarded to my email instead.
call me crazy, but didn’t that same sort of thing happen on IOS? It would shut down your phone and such? Different but same? Avid apple fan…but this seems to be very objective.
No. That was a flaw when specific characters were received. Apple patched that quickly.
That specific iOS flaw was NOT a security flaw. It was an annoyance flaw where anyone with the magic character combination could send it to another person in a message and crash and restart their iPhone. Victims had to go through an annoying ritual to stop their iPhione from crashing again and again. There was never any security compromise or exploit involved.
My Mac security colleague Topher Kessler covered the situation at the article link below. Since then, Apple has repaired the problem in an iOS update.
http://www.macissues.com/2015/05/27/messages-bug-will-force-your-iphone-to-restart/
Oh hell no deeno!
What you’re thinking of is probably the Masque Attack. It allows someone who has stolen an enterprise developer security certificate key to fake being any iOS application. Apple opened that nasty hole in order to allow enterprise companies to create and distribute their own customer iOS apps within a company. Apple has NOT closed this security hole and intends NOT to. However, Apple now keeps track of every enterprise developer security certificate key and cancels them immediately if they get wind of it being abused.
NOTE: The Masque Attack is ONLY possible on jailbroken or enterprise modified iOS devices. Anyone with a standard, Apple locked iOS device is NOT susceptible. (Not unless Apple is stupid enough to let such an app through their app store process, which is considerably unlikely, seeing as they verify every app’s security certificate key is valid).
First time a Samsung user gets his bank account hacked is the last time he uses Android.
Yeah? And? Android has been shown to be hackable, for good or bad, ever since the beginning. Seriously, we already knew that. Old hardware and software can get beaten into just like old rotting buildings..
Sent from my iPhone
>
Millions of bags of garbage may be hijacked by driving your truck up and down the neighborhood on collection day. Enjoy!
Seriously: The HORROR of fragmandroid. Even at the best estimate, only 50% of currently working Android devices will even be CAPABLE of being patched to stop this wide open door to hacking and pwning. 50%
And that’s me not even making fun of stupid Google for allowing such a whopping huge and obvious security hole in the first place.
50% ! ! !
Oh and hey MDN: I note your use of ‘smirk’. I know you love me. 😉 <3
I find it hard to believe there are 950 Million android phones turned on. Aren’t most of the androids over 4 years old in the garbage?
Yeah, but Android is a better OS than iOS because it’s an “open” system. Heh heh heh…
It’s Deja-vu all over again.
Android has replaced Windows as main playground for hackers. Soon Microsoft will be able to enjoy “security through obscurity”. ROTFL!