Researchers from Zimperium Mobile Security, a security firm, have discovered a bug dubbed Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.
Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices. “These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user- interaction,” a report posted in its blog.
The flaw can be exploited by sending a photo or video message to a person’s smartphone, without any action by the receiver.
“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the researchers wrote .
After Stagefright had been invoked, which required no action from the victim, other data and apps on the handset could be accessed by the malicious code.
Once the researchers had discovered the flaw, they reported it to the Google, which produced a patch to fix the problem.
According to a report published in BBC, the Google said in statement that the vulnerability was identified in a laboratory setting on older Android devices, and as far as they know, no-one has been affected. “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at Black Hat,” the report read.