The Cyberthreat That Affects 950 Million Mobile Devices
Cybersecurity firm Zimperium announced in July 2015 that it had discovered a major vulnerability in Google's Android mobile operating system. The flaw potentially allows hackers to access approximately 95% of all Android smartphones and tablets. That adds up to around 950 million mobile devices that are at risk.
A Uniquely Dangerous Threat
Usually, hackers need their victims to make cybersecurity mistakes, like opening a malware-infected attachment, visiting a malicious website, or using an easy-to-crack password. However, the threat uncovered by Zimperium is especially dangerous because it doesn't need a victim to make any mistakes like that.
A hacker using this newly discovered vulnerability only needs to hide malware inside of a video and then send it to someone in a text message. When the recipient views the message, their phone will automatically process the infected video, and thereby allow the hacker into the phone's system. If the attacker chooses to send the video via Google Hangouts, the victim doesn't even need to view the message, since the malware will take effect as soon as the phone receives it. In either case, the infected user will be completely unaware of the attack.
The only things that a hacker needs in order to successfully exploit this vulnerability are a malware-laden video and their target's phone number. Once they've gained access to the target's mobile device, the attacker would be able to do anything, said Zimperium vice president Joshua J. Drake. In addition to stealing data, the attacker could remove all traces of the attack itself and use the device's microphone and camera to spy on the target.
The flaw is part of Android's Stagefright media playback engine, which is used for playing both audio and video media files. It is believed that, in order to reduce video-viewing lag time, Stagefright's developers chose to have the playback engine automatically process the video before a user decides to start watching it. This opens the door for malware hiding in videos.
Zimperium's Fix and the Problem with Android Patches
Drake has already created patches for the flaw, and sent them to Google. Unfortunately, the tech giant isn't the one who is ultimately responsible for fixing users' phones and tablets. That burden rests with device manufacturers that typically tweak Android's source codes after receiving them from Google.
Although Google has already delivered the patches to manufacturers, these companies are notoriously slow about issuing updates for their devices. It frequently takes over a year for many manufacturers to provide fixes for Android, and in some cases the devices never receive any security updates.
Drake predicted that only 20% of vulnerable devices would end up getting patched, but added that the figure could get as high as "the optimistic number of 50%." Even this best-case scenario still leaves up to 475 million devices susceptible to a Stagefright-exploiting attack.
What Users Can Do to Protect Their Devices
While the only way to get the patch may be to pressure your device's manufacturer, you can mitigate some of the risk by blocking text messages from unknown senders. This will only work for Android versions that are older than Lollipop, the latest iteration of the operating system.
There is no way to block unknown senders in Lollipop, but you can turn off the automatic retrieval function for multimedia messages. While this won't protect you entirely, it will prevent the malware from automatically deploying after your mobile device receives an infected message.
Enterprises hoping to improve their mobile devices' defences should look to outside specialists. Zimperium, for example, offers a mobile threat defense platform that can counter Stagefright attacks. A partnership with a team of experienced cybersecurity professionals can help you protect your staff's mobile devices.
About the Author
Geoff Stewart is a highly experienced and skilled IT Challenger at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
Surety IT’s mission is to address and overcome the 4 biggest problems businesses have with their IT systems and support, which are: Poorly performing systems, unreliable systems, unresponsive IT support and poor IT related advice.
We’ve developed a proprietary process that allows us to do that by: thoroughly understanding your business requirements, gaining an in-depth knowledge of your IT systems, identifying mission critical technology issues vital to your business performance and ensuring our ‘Solution Path’ process is specifically designed and tailored for you with value based solutions and support.