Android Stagefright vulnerability – one text is all it takes to hack 950 million phones

95% of Android phones – some 950 million devices – are apparently vulnerable to attack. Flaws in Android’s Stagefright code, which controls media playback, can grant remote code execution privileges to anyone with an Android phone’s number. All the attacker needs to do to gain control of a device is send a multimedia message (MMS) embedded with malware.

Joshua J Drake of Zimperium zLabs identified the issue, and will present his research at the Black Hat conference on 5 August. The Zimperium blog explains:

“Attackers only need your mobile number, [which they can use to] remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

“Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.”

For the majority of users there’s no fix available. And, as the Guardian notes, “Google, which makes the Android operating system, has no power to push patches to the vast majority of Android phones that are produced by other companies such as HTC, LG or Samsung, and those companies frequently have to negotiate with mobile network operators to send patches to the end user.

“On top of that, only the newest Android phones receive patches, which means that the Stagefright bug – which affects the Android operating system all the way back to 2010’s version 2.2 – may never be fixed for a huge number of phones still in use.”

BYOD and mobile device security

Organisations that support bring-your-own-device (BYOD) need to be especially wary of employees using Android devices to access office networks and work systems.

IT Governance’s BYOD Policy Template Toolkit contains a complete, customisable BYOD policy and Acceptable Use Agreement, together with implementation guidance, and is usable either on its own or with any other ITGP documentation toolkit.

Fully up to date with the March 2013 official guidance on data management and security from the UK’s Information Commissioner, the BYOD Policy Template Toolkit puts affordable best practice at the fingertips of CIOs and security managers everywhere.

For more information on mobile device security, download our free green paper here >>