Android bug leaves a billion phones open to attack

A security researcher has discovered what could be one of the worst vulnerabilities in Google's Android mobile operating system to date, leaving close to a billion devices open to remote code execution.

Joshua Drake of security vendor Zimperium analysed gigabytes of source code for Android, and discovered that the Stagefright media library written in the C++ language - used for time-sensitive applications - is vulnerable to memory corruption.

He found several critical vulnerabilities in the media library code.

To exploit the vulnerability, attackers can send a specially crafted media file via multimedia messaging service (MMS) or another channel to victims' devices.

No user interaction is needed and the malware can be set to delete messages before they're seen when incorporated in fully weaponised exports, Drake noted.

Stagefright exploitation sequence. Source: Zimperium

Android version 2.2 and newer are vulnerable, with devices prior to the "Jelly Bean" release being most at risk due to inadequate exploit mitigations.

Drake estimated that the Stagefright bug affects around 95 percent of all Android devices - equivalent to 950 million. 

"This will have widespread implications for Android devices," HackLabs director Chris Gatford said.

But the vulnerability's impact would be lessened because Drake had chosen to go down the path of responsible disclosure, he said.

"If this had been discovered by someone with less than good intentions, it would have been devastating."

The Stagefright vulnerability could also be added into a self-propagating computer worm, Drake found, which would be spread by itself after infecting a device.

Google has been notified of the bug, Drake said, and applied patches to internal code branches within 48 hours of the vulnerability being reported.

Patches could be a long time coming

Fortian principal IT security consultant Jason Wood said the discovery of the vulnerability would be compounded by the issue of Android version fragmentation.

"While Google has acted promptly to update internal code branches, they are reliant on hardware vendors and telecommunications companies to incorporate these updates and push them to individual devices which they may or may not do, particularly for older versions," Wood said.

"This means that some users will remain exposed for a period of time and others may never receive patches to protect against this vulnerability."

Telecommunications companies are notoriously slow at pushing patches and updates for older devices, and in some cases abandon them totally.

Researcher Adam Boileau of security consultancy Insomnia said business users would either need to bin the vulnerable device in favour of a newer Android model or Apple iOS or Windows phone.

"Unless you've got a supportable Android device - Google Nexus or a brand new Samsung/LG/Huawei if you consider waiting six months to be supported - your options to be patched against Stagefright are pretty limited," Boileau said.

Gatford said it was quite common for Android devices to be at least two years out of date patch-wise.

"If you own a Google device you get the updates as soon as they come out. If it's a Samsung device, you get it as soon as the code goes to the manufacturer and they've tested and pushed the update," Gatford said.

"With a device bought from a telco, it goes from Google to the handset maker to the telco to you - that can take up to two years. So I suspect this vulnerability will be around on end user devices for a while."

Gatford said since Drake had responsibly disclosed the vulnerability to Google and had - so far - opted against publishing detail of the exploit, the use of the vulnerability in the wild by malicious actors would likely be limited.

"Emulating [Drake's attack] would be hard unless you had access to the full detail," Gatford said.

Drake will give a talk on how the bug works at the Black Hat conference in early August.