Exploit for Dangerous Android Vulnerability Coming Next Week – Update 2

Spread the love

Next week, security researchers will release exploit code for a dangerous bug in Android. Using a rogue video, an attacker can gain access to an Android system. Many devices are still vulnerable.

The security problem in Android, in which an Android system can be cracked with a malicious video, came to light on Monday. Details are still missing, but that is about to change: next week, at the Black Hat security conference in Las Vegas, to give the Zimperium researchers who discovered the problem released an exploit. This makes misuse of the exploit a piece of cake. Later this week, the researchers will release a video demonstrating the attack.

The Android vulnerability resides in a framework used to process videos. Attackers can hide malware in a video; it seems that at least 3gpp videos are vulnerable, and possibly mpeg4 videos as well. The vulnerability can be exploited in multiple ways, such as an attacker likely to serve videos containing malware through rogue advertisements, which is a popular way to distribute malware.

A video can also be sent using a chat app; in any case, Hangouts is vulnerable, because that app sends videos straight to the framework as they come in. If the exploit code is out in the open, chances are the bug will soon be exploited. Attackers can then, among other things, tap victims’ microphones, as well as the cameras, and take screenshots.

Google states that patches for the security problem are already available, and that they can be rolled out by manufacturers. However, according to the researchers, Android 5.1.1, the latest version, is also vulnerable; there is a good chance that a new version will follow soon.

For most Android users, it will probably be a long wait to install the update; Android hardware makers are typically slow to roll out new versions, if any at all. According to the researchers, 950 million Android devices are vulnerable. The bug was already in Android 2.2.

Google does point out that an attacker does not have unlimited rights, because Android allows apps to run in a sandbox. However, attackers could exploit other bugs to get around that; especially with older Android versions that is a risk.

Update, 13:36: This piece initially stated that the latest Android version, 5.1.1, would not be vulnerable. However, it is.

Update, 22:40: Cyanogen has released a patch for the issue.

[StageFright UPDATE] We will release a video demonstrating the attack later this week and an exploit code right after @jduck‘s black hat talk

— ZIMPERIUM (@ZIMPERIUM) July 28, 2015

You might also like