Researchers with mobile security firm Zimperium have revealed details on a new set of Android vulnerabilities that are estimated to affect nearly a billion devices worldwide.
The vulnerability is said to target a phone’s MMS messaging platform. Specifically, an attacker could send malicious code disguised as a video message via Android’s media playback tool Stagefright. In some cases, the target wouldn’t even be required to open or interact with said message to trigger the malicious payload.
A successful exploit would grant an attacker access to sections of a device that Stagefright has permission to interact with including a phone’s SD card, its Bluetooth platform, cameras and microphones.
The flaw is said to impact all Android devices running version 2.2 and newer.
The good news is that Google has already sent a fix to hardware partners. The bad news? It’s now up to handset makers to take it from there. As you may know, some partners are prompt about getting patches out to customers but that’s far from uniform behavior.
According to Joshua Drake from Zimperium, Blackphone creator Silent Circle has already issued a fix while the latest firmware for Google’s own Nexus 6 fixes some – but not all – of the issues. HTC told Forbes that it began rolling out patches to fix the issues earlier this month.
For those curious, the bugs have been issued CVE numbers for identification and record-keeping purposes. They are, in no particular order: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.
Zimperium is expected to release more details at next month’s Black Hat conference in Las Vegas.