A SECURITY research company has discovered what it describes as the “worst Android vulnerability in the mobile operating system’s history”.
According to Zimperium ZLabs, 950 million Android smartphones and tablets are currently vulnerable to attacks from a bug codenamed Stagefright.
Zimperium zLabs vice president of platform research and exploitation Joshua J. Drake said hackers can gain access to the victim’s device without them even knowing — all they need is the user’s phone number.
“The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep,” he told Business Insider.
“This is different from spear-phishing attacks, which require users to open an email attachment or click on a link for the attack to be successful.
“It amounts to an attacker sending a media file via MMS, which again requires no action from the user.”
When a device is exploited the hacker has access to many of the phones applications, which they can use to spy on the victim or steal their data.
“Once an attack is complete, the hacker has access to many of the phone’s applications, notably the audio and camera,’ he said.
“By controlling these applications, an attacker can essentially spy on their victim by listening in on conversations or watching the device’s surroundings.
“Sophisticated attackers could also create what we call ‘elevated privileges,’ which would provide complete access to the phone’s data.”
While there is no fix for the bug at present, Mr Drake said Google was working hard to rectify the issue.
“[Upon] discovering the Stagefright vulnerability, we alerted Google and provided patches for the problem to help them begin the lengthy update process.”