Security firm uncovers another far-reaching Android vulnerability

by: Jimmy WestenbergJuly 27, 2015
1.1K
lock screen lockscreen security

A team of mobile security experts at research firm Zimperium have recently discovered an exploit in Android that could let hackers gain access to your mobile device much easier than you’d think. Normally when reports surface regarding Android malware or security flaws, the user would need to either download the affected application or file for the exploit to reach their devices. However, that might not be the case with this recent finding.

According to Joshua Drake, security researcher at Zimperium, here’s how it would work: a hacker creates a malware-laden video, sends you the file through MMS, and that’s it. Depending on which messaging application you’re using, the video could trigger the vulnerability right away. For instance, Hangouts processes videos instantly which allows users to view the media content right away, no waiting required. For most stock text messaging apps, though, you’d need to open the message and play the video in order for the hackery to take place. When talking about messaging apps, Drake notes that “it does not require in either case for the targeted user to have to play back the media at all”.

For the most part, details on the exploit are being withheld from the public until Zimperium’s BlackHat even in Las Vegas next week. We’ll know more specifics on the exploit itself when that event takes place.

Drake sent in security patches to Google when he uncovered the exploit back in April

Drake sent in security patches to Google when he uncovered the exploit back in April. Google quickly accepted Drake’s patches and has already sent out a fix to all of its hardware partners. In order to get the fix, though, you’ll need to wait until your phone’s manufacturer or carrier sends it out to consumers. The researchers who discovered the flaw tell NPR that they don’t believe this exploit is currently at use in the wild. But even though it may not be currently affecting our devices, a fix needs to happen sometime soon – this exploit is, according to Drake, able to run on any Android device running Android 2.2 or later.

Just because these devices are potentially at risk, doesn’t mean the attack will be 100% successful, though. Google tells Forbes, “Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device”.

At this time it’s not clear as to which manufacturers will send out security fixes to their devices, if at all.

  • OhStopItYou!

    so an article about a security issue with android without actually actually telling users how it works (an in it’s technical stuff and why it happens)

    • Jimmy Westenberg

      Details are pretty scarce about how this whole thing works at the moment. We’ll know more next week when Zimperium holds its BlackHat event in Las Vegas. http://blog.zimperium.com/the-biggest-splash-at-blackhat-and-defcon-2015/

      • Sonnal

        so this is PR for the event?

      • OhStopItYou!

        Thanks for letting me know. I will definitely be on the lookout for more info!

  • Arman

    Naturally uninstalling “google hangouts” would be the first step to mitigate the threat until we have more information

    • John Doe

      Send out an update to turn off the auto-run option in Hangouts. would be a good 1st step, until a fix has been actually rolled out.
      I thought that Google held a hacker convention to see how safe Android was .. or maybe that was for something else ..
      Either way it would be a good idea to do so ..

    • John Garlits

      Disable automatic MMS retrieval on Hangouts AND whatever SMS app you use (like the one that came with your phone if it’s not a Nexus). Don’t download from unknown numbers. Temporary fix that every tech site SHOULD be publishing. Not sure everyone will be able to uninstall or disable Hangouts on their phone depending on their phone and how it’s locked down. Looks like I could only disable it on my T-mo G4.

      • Arman

        I am using Contacts+ and trying to find that setting but all i see is change the MMS setting to proxy as opposed to the address that it is getting from the carrier. Any suggestions?

        • John Garlits

          Hmm, not sure. Maybe you want to consider a different app temporarily? I wonder what would be the impact of that “Don’t use Lollipop MMS APIs” setting. What would it use instead? Above my knowledge. Maybe contact the developer of your app to find out, or see if they’ll issue an update with the setting to disable automatic MMS (and make it default off ideally).

          • Arman

            The default Cyanogen OS 12 MMS has the setting and it was turned off by default. Guess i should go back on the default Messaging app for now.

  • Arman

    Another good measure would be using a spam blocker app like “Truecaller – Caller ID & Block” that blocks the unknown and suspicious SMS to begin with.. You can get it from Google play:
    https://play.google.com/store/apps/details?id=com.truecaller&hl=en

  • Paul M

    I just cleared the MMS settings from the apn settings on my phone, so now it can’t download MMSs at all.
    Sure, I broke MMS, but I never use them as my carrier charges me quite a bit for using them.

  • flye

    Damn….. I have not receive any mms for years! Do ppl still use mms????

  • shivansh

    Damn I am getting notification when I open whatsapp that new version is available and when I click install It directly starts installing and also i checked Google play store there was no update and when I click change log I takes me into fake website.