TechSpot

New Android vulnerability targets messaging platform, nearly a billion devices at risk

By Shawn Knight
Jul 27, 2015
Post New Reply
  1. Researchers with mobile security firm Zimperium have revealed details on a new set of Android vulnerabilities that are estimated to affect nearly a billion devices worldwide.

    The vulnerability is said to target a phone’s MMS messaging platform. Specifically, an attacker could send malicious code disguised as a video message via Android’s media playback tool Stagefright. In some cases, the target wouldn’t even be required to open or interact with said message to trigger the malicious payload.

    A successful exploit would grant an attacker access to sections of a device that Stagefright has permission to interact with including a phone’s SD card, its Bluetooth platform, cameras and microphones.

    The flaw is said to impact all Android devices running version 2.2 and newer.

    The good news is that Google has already sent a fix to hardware partners. The bad news? It’s now up to handset makers to take it from there. As you may know, some partners are prompt about getting patches out to customers but that’s far from uniform behavior.

    According to Joshua Drake from Zimperium, Blackphone creator Silent Circle has already issued a fix while the latest firmware for Google’s own Nexus 6 fixes some – but not all – of the issues. HTC told Forbes that it began rolling out patches to fix the issues earlier this month.

    For those curious, the bugs have been issued CVE numbers for identification and record-keeping purposes. They are, in no particular order: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.

    Zimperium is expected to release more details at next month’s Black Hat conference in Las Vegas.

    Permalink to story.

     
  2. Is it a new vulnerability if it works on android 2.2 and newer?Or it has been there for ages doing work and only now discovered?
     
  3. It would have been there all along. It has only been known now. Problem is once its known and published, you need to worry about all the malicious hackers and script kiddies, and not just the NSA/GCHQ
     
    Runt1me likes this.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...