A newly discovered security flaw in the Android mobile operating system has been dubbed one of the worst vulnerabilities to date. “Stagefright” could affect around 950 million Android devices.
Stagefright is the name for a system service in Android that processes various media formats, implemented in native C++ code. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright can be exploited through a variety of methods, the most dangerous of which requires zero user interaction.
The exploit reportedly affects Android devices running version 2.2 (Froyo) of Android and up. The series of screenshots above show how the exploit was used to attack a Nexus 5 running Android Lollipop 5.1.1 via MMS.
“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS,” Zimperium explained. “A fully weaponized successful attack could even delete the message before you see it. You will only see the notification.”
Zimperium says they reported the vulnerability to Google, along with submitting patches to address the issue. They noted that Google did apply the patches to internal code branches of Android within 48 hours.
Because many Android users do not run the latest version of Android, the vulnerability could affect up to 95% of Android device users. That would mean up to 950 million Android handsets could be affected by the exploit.
AppleInsider notes that the research on Stagefright is set to be presented at the Black Hat USA conference on Aug. 5, and at DEF CON 3 on Aug. 7.