Critical Android bugs can be exploited via MMS, 950M users affected

Zimperium said that 10 critical vulnerabilities in Android were assigned seven CVE identifiers.
Zimperium said that 10 critical vulnerabilities in Android were assigned seven CVE identifiers.

Researchers with Zimperium have identified multiple critical remote code execution vulnerabilities in Android's Stagefright code that can be exploited on 95 percent of devices – an estimated 950 million – by simply sending an MMS message.

Josh Drake, Zimperium zLabs vice president of platform research and exploitation, is credited in a Monday blog post with identifying the vulnerabilities, which affect Android and derivative devices after and including version 2.2. He will be providing full technical details next month at Black Hat USA 2015 in Las Vegas.

Drake told SCMagazine.com in a Monday email correspondence that 10 critical vulnerabilities were assigned seven unique CVE identifiers.

To exploit the vulnerabilities, all an attacker has to do is send an MMS message with a specially crafted media attached, Drake said. He explained that the victim may or may not see anything at all – such as the message or notification – because once successful the attacker can remove any signs of compromise. 

In half of the cases tested, victims had no idea they were attacked, Zuk Avraham, founder and CEO of Zimperium, told SCMagazine.com. In other tests, victims received an MMS that triggered the vulnerability when clicked, but afterwards the victim did not see anything strange, he added.

Drake said, “Once successful, the attacker is left with arbitrary code execution with slightly elevated privileges, notably the audio and camera. Using these privileges, an attacker can essentially spy on their victim by listening in on conversations or watching the device's surroundings.”

The affected software runs with “system” privileges on some devices, Drake added.

“On these devices, the attacker has almost full control of the device already,” Drake said. “Apart from these elevated privileges, remote arbitrary code execution allows sophisticated attackers to execute “privilege escalation” attacks, which would provide complete control of the device.”

In a statement emailed to SCMagazine.com on Monday, Chris Wysopal, CTO and CISO of Veracode, referred to the issue as “Heartbleed for mobile” – but despite the severity of the bugs, Drake and Avraham said that the vulnerabilities are difficult to exploit. 

The post said that Zimperium reported the bugs to Google and also submitted patches that were applied within 48 hours; however, it added that fixing the vulnerabilities will require over-the-air (OTA) firmware updates that typically take a while to reach Android users. Zimperium recommended that users reach out to their manufacturers and carriers for more information.

Remi De-Fouchier, VP of marketing at Gemalto, later told SCMagazineUK.com: “It's worrying to see this potential issue with Android phones, but there are ways to secure important information and credentials mobiles through the use of Secure Elements inside the devices, such as latest generation SIMs and dedicated chips known as Embedded Secure Elements and Trusted Execution Environment, as well as using robust Mobile Software Security techniques to replace sensitive data by tokens and hide them inside the phone code. 

"Although the purpose of this attack is unknown and it does not seem to culminate in the theft of data, future attacks most undoubtedly will be making it more imperative than ever that the right secure technologies (or security frameworks) are in place to keep personal information safe.”