Heartbleed-Level Vulnerability Found In 950 Million Android Devices, Thanks To DRM

A serious vulnerability discovered by the researchers at Zimperium, a security company, allows attackers to infect the vast majority of existing Android users (over 950 million) through a simple MMS message without any action from the user.

The Zimperium researchers discovered multiple vulnerabilities in the Stagefright media library in Android, which is written in C++, allowing for easy exploitation, and has almost root-level privileges and Internet access. The researchers believe that these excessive permissions in the library are due to it supporting some types of digital rights management (DRM) processing or streaming playback. However, they ultimately make the devices highly vulnerable to silent exploitation in the background.

If an attacker wants to target someone, he would only need to know the target's phone number to which he could send the MMS message. The target may not have even seen the message as the attacker could delete it remotely as well, after the device was infected. An attacker could choose to do this operating during night time for the victim to minimize the risk of exposure. The only remnant of the attack could be a notification message on their screen for the MMS message, but without the MMS message itself.

If the attacker doesn't want to attack any particular target but would just want to infect random people's devices, then he could generate the phone numbers randomly or use a database of phone numbers to which he can send the MMS messages. This way he could infect millions at once.

The Stagefright and Heartbleed vulnerabilities have little in common in terms of how they work, but the level of danger here seems to be roughly as big, if not bigger for the Android vulnerability. As with Heartbleed, which was a bug that allowed malicious hackers to steal information from most OpenSSL servers, the attackers can send malware to anyone running Android 2.2 up to Android 5.1.1 (which is the latest shipping version of Android).

Although developers could upgrade their own servers to patch Heartbleed, which most did, Android users won't be able to upgrade their devices to a safe version unless the OEMs and carriers make that upgrade available. The bad news is that even if Android OEMs update all devices running Android 4.4 and up, that would still leave 48.4 percent of users vulnerable to this bug.

However, chances are that not all Android 4.4+ devices will be patched, so most Android users could still remain vulnerable until they replace their phones. Versions that are older than Android 4.2 are in even greater danger, because they lacked exploit mitigations that were added to newer versions of Android, as well as a way to disable automatically receiving an MMS.

The Zimperium researchers have already told Google as well as Silent Circle and Mozilla, who also use the Stagefright library, about the vulnerability, and the companies have prepared fixes for their own operating systems (Android Open Source Project, PrivatOS and Firefox OS, respectively).

Silent Circle already fixed the vulnerability in version 1.1.7 of PrivatOS, and Mozilla fixed it in version 38 of Firefox OS. Although Google has pushed the patch to the AOSP, it's up to carriers and OEMs to send those fixes to their users. However, Google will likely release a patch for supported Nexus devices soon, and Android M should come with the bug patched by default (or even with an overhauled media library).

Zimperium hasn't mentioned it, but disabling the automatic retrieval of MMS messages in all messaging applications that support it (which includes Hangouts and IMs) could protect users against this type of exploit. It's not clear whether that would completely work, because the researchers said they found half a dozen vulnerabilities in the Stagefright library. The company will reveal more about them at the Black Hat and DEFCON hacking conferences on August 5 and 7, respectively.

Otherwise, the company said that short of an Android upgrade, its own zIPS application for enterprise customers can also protect against the Stagefright vulnerability.

Follow us @tomshardware, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • dstarr3
    Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?
  • InvalidError
    1612573 said:
    Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?

    What motivation would they have to go through the extra hassle and expense?

    You are afraid to get hacked on your no longer supported phone? The carrier offers you to upgrade to a new phone for a fee. You do not upgrade your phone, get hacked and get screwed by bandwidth, LD and other charges? The carrier most likely won't let you get away from it without spending some cash either way.

    The carrier patches their servers to intercept malicious SMS? They have to eat the cost of those server tweaks, they lose one reason to nudge customers to upgrade their phones regularly and they may expose themselves to additional privacy inquiries about their SMS interception. Lose-lose-lose for them.
    Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?

    Privacy concerns? Would you want your carrier intercepting your texts at any given time? Just a thought.