Researchers have uncovered a remote code execution Android vulnerability that could be exploited with only a malicious media file and a phone number. The bug in Android's multimedia playback engine leaves 95 percent of Android devices worldwide critically exposed. It is being called "Heartbleed for mobile," but will be prove harder than Heartbleed to fully fix.
The so-called Stagefright vulnerability was discovered by Joshua J. Drake, vice-president of platform research and exploitation at Zimperium zLabs, who will be presenting his findings at Black Hat Las Vegas next week. Drake actually discovered a variety of implementation issues in Stagefright that could be used to commit of variety of attacks, including denials of service and remote code execution.
The worst of the exploits requires no user interaction: the maliciously crafted media file could be delivered via an MMS message, and the user wouldn't even need to open it. In other words, the only thing attackers need to know about their target is their phone number. According to researchers, an exploit could even be written so that the message could be deleted before the user has a chance to see it.
"This is Heartbleed for mobile -- a remotely exploitable vulnerability that affects millions of Android-based phones and tablets," says Chris Wysopal, CTO and CISO of Veracode. "These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over."
The prevalence and ease of exploit of this vulnerability is why Wysopal compares it to Heartbleed. "It's the first Android vulnerability that's gotten to that level," he says.
The vulnerability affects Android devices versions 2.2 and later; pre-Jellybean devices are at the worst risk. Zimperium reported it to Google, which has applied patches, but full fixes require all affected devices to have an over-the-air firmware update. And that's perhaps the biggest concern: remediation requires a lot of parties to be involved, will take time, and some may never get around to it.
"The update process is very long and complicated, and most Android users will never receive an OS update," says Zuk Avraham, founder, chairman and CTO of Zimperium. "This is more challenging than Heartbleed, because in that case you can simply patch the server."
Wysopal says attackers will be creating and distributing exploits soon. "It's probably a matter of days, so time is of the essence to get the devices patched," he says. But "in the past, it [patching] has been a fragmented process."
Google may release a patch, Wysopal says, but the rest of the Android ecosystem -- the handset manufacturers and wireless carriers, for example -- may take weeks or longer. "We need to start asking them for a timeline," he says. "Unfortunately it's a situation where the individual user may need to take the lead."
The good news is that these Stagefright vulnerabilities do not grant attackers to the victim's entire Android device -- only to their media files -- and wouldn't allow the attacker to make the jump onto an enterprise network, he says.
The question then is will this remain--like other mobile threats before it--a consumer or individual issue. Spying on one's media files could be a threat to an individual, but will it be the kind of thing that brings mobile malware a bigger concern to the enterprise?
Wysopal says the Stagefright exploit could be nastier if combined with a privilege escalation exploit.
"There are targeted attacks on smartphones, as the Hacking Team leak has proved," says Avraham. "We are seeing a lot of attacks. This is the most silent threat to the enterprise out there, empowering attackers to essentially spy on anyone from executives to prime ministers and celebrities."
Wysopal's advice is to turn off the auto-download of MMS messages feature, and then avoid opening MMS messages from unfamiliar senders.