A team of mobile security experts at research firm Zimperium have recently discovered an exploit in Android that could let hackers gain access to your mobile device much easier than you’d think. Normally when reports surface regarding Android malware or security flaws, the user would need to either download the affected application or file for the exploit to reach their devices. However, that might not be the case with this recent finding.
According to Joshua Drake, security researcher at Zimperium, here’s how it would work: a hacker creates a malware-laden video, sends you the file through MMS, and that’s it. Depending on which messaging application you’re using, the video could trigger the vulnerability right away. For instance, Hangouts processes videos instantly which allows users to view the media content right away, no waiting required. For most stock text messaging apps, though, you’d need to open the message and play the video in order for the hackery to take place. When talking about messaging apps, Drake notes that “it does not require in either case for the targeted user to have to play back the media at all”.
For the most part, details on the exploit are being withheld from the public until Zimperium’s BlackHat even in Las Vegas next week. We’ll know more specifics on the exploit itself when that event takes place.
Drake sent in security patches to Google when he uncovered the exploit back in April. Google quickly accepted Drake’s patches and has already sent out a fix to all of its hardware partners. In order to get the fix, though, you’ll need to wait until your phone’s manufacturer or carrier sends it out to consumers. The researchers who discovered the flaw tell NPR that they don’t believe this exploit is currently at use in the wild. But even though it may not be currently affecting our devices, a fix needs to happen sometime soon – this exploit is, according to Drake, able to run on any Android device running Android 2.2 or later.
Drake sent in security patches to Google when he uncovered the exploit back in April
Just because these devices are potentially at risk, doesn’t mean the attack will be 100% successful, though. Google tells Forbes, “Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device”.
At this time it’s not clear as to which manufacturers will send out security fixes to their devices, if at all.