Widespread Android vulnerability could turn phones into spycams
A security flaw in Google's Android mobile operating system allows attackers to take control of someone's device just by sending a text message 鈥 and the recipient doesn't even have to open it.听
While Google has released a patch for the widespread vulnerability found in its Stagefright multimedia playback engine in the Android OS, the fix won't help millions of users with older versions of the system that Google no longer supports.听Android has deployed听Stagefright since its 2.2 release听in 2010.
But perhaps more concerning than this flaw is the fact that Stagefright seems so poorly coded that it's ripe for other major security issues, says听Joshua Drake,听senior director of platform research and exploitation at the cybersecurity听analytics听firm Zimperium.
"My only reservation about calling this bug the Stagefright bug is that I highly doubt this is the last time we鈥檒l have to talk about Stagefright," says听Mr. Drake, who publicly revealed the vulnerability on Monday.
Google听declined to comment about the quality of Stagefright code or the testing practices to evaluate the code for security flaws. The company听did, however, release a statement thanking Drake for work in revealing the vulnerability.
One use for Stagefright is preprocessing videos sent over text message or through some third-party apps. The bug in the multimedia engine means that attackers could send a text message with a malicious video file and infect the mobile device without a recipient actually clicking to open the file.
鈥淸A hacker]听could even delete that text message and delete the evidence of the attack,鈥 says Drake.
By exploiting this vulnerability, an attacker could gain听control over Bluetooth, video, audio, and the microphone 鈥 enough to turn a phone into a spycam. On many phones, an attacker could gain complete control of the device.
News of the Stagefright bug also raises questions about Google's update policy for the Android operating system. Currently,听Google provides patches the two most recent operating systems it still supports 鈥撎齂itKat and Lollypop.
Unlike听the Apple iPhone, in which 84 percent of users run the current operating system, Android users regularly lag behind in updates. Only around half of the 1 billion Android users run Lollipop or KitKat, meaning some 500 million phones still susceptible to the Stagefright attack.
Security professionals have long been critical of Google over its Android update practices. When bugs affect Android versions that Google still supports, the company writes a patch, sends it to phone manufacturers, and counts on companies such as Samsung or Motorola to update their customers' phones. But many manufacturers do not treat updates with urgency. If a bug affects a version of Android that Google no longer supports, phone manufacturers can develop patches on their own, but few ever do.
"The problem is that devices sold today have no warning system as to if they will ever be updated," says Todd Beardsley, research manager at the security firm Rapid7.
While听it鈥檚 possible to change Androids settings to prevent the phones from automatically downloading video from text messages, that still may not be a complete fix for Android users who don't receive the patch for their phones, says Drake, the听Zimperium researcher.听鈥淭he best I can say to people without the patch is to make sure they trust anyone with their phone number."
听
