A security researcher has recently uncovered a worrisome new Android exploit which allows hackers to compromise a device simply by sending either an MMS message or a multimedia file. Once a device has been targeted and infected, hackers can access a user’s microphone, camera, external storage, and in some cases (depending on the device in question), even gain root access.
Initially discovered by Joshua Drake from the security firm Zimperium, the exploit takes advantage of a number of vulnerabilities found within the software framework Android uses to “process, play and record multimedia files.”
What makes the exploit truly dangerous is that it can seemingly be triggered without any pro active action on part of the user. Because the software framework in question is used for processing all types of media content, handsets can even be infected upon landing on a webpage with embedded video content.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger,” Drake said in an interview with Forbes. “That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it.”
The library is not used just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information.
This means that users don’t necessarily have to execute malicious multimedia files in order for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.
Now as for how this may affect users in the real world, well, there’s good news and bad news.
The good news is that Drake, to his great credit, not only unearthed the exploit but developed a patch for it. What’s more, Drake shared his research and patch with Google this past April whereupon the search giant immediately applied the fix to its “internal Android code base”
The bad news, though, is that because it typically takes a while (read: months) for new Android updates to be pushed down to the varying and seemingly endless number of Android handsets, it’s believed that 95% of Android devices out in the wild are still at risk. What’s more, Android handset makers who aren’t official Google partners don’t even have access to the patched codebase at all.
Translation? Drake believes that as many as 950 million Android handsets currently in use remain vulnerable to such an attack.
Even more worrisome is that the exploit in question affects all Android devices running version 2.2 and above. The thing is, many handsets devices running older versions of Android stopped being eligible for software updates years ago. Put differently, if you’re still using an Android device you picked up about two or more years ago, you’re effectively out of luck.
Drake plans to disclose more information about his exploit next month at the Def Con security conference in Las Vegas.