Stagefright -- the worst Android vulnerability ever dubbed 'heartbleed for mobile'

Nearly 95 percent, or 950 million, Android devices carry a “scary” code inside them, according to researchers. Zimperium zLabs has discovered a security bug what it calls to “be the worst Android vulnerabilities discovered to date.” The bug, named ‘Stagefright’, is actually a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java. [caption id=“attachment_2367724” align=“alignleft” width=“380”]  Courtesy: Zimperium zLabs[/caption] Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction. Attackers only need to know the target’s mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before the user see it. The user will only see the notification. “These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone,” Drake explained. Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11 percent of devices) are at the worst risk due to inadequate exploit mitigations. “If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse,” he added. Upon discovering the Stagefright vulnerability,  Zimperium alerted Google and submitted patches for the problem. Considering severity of the problem, Google acted and applied the patches to internal code branches within 48 hours, but “unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”