Worse than Heartbleed: Stagefright security flaw leaves almost all Android users open to Trojan attacks

Almost a billion Android users vulnerable to security flaw that can be exploited just by sending a text message, warns Zimperium

A serious security vulnerability in Google's Android mobile operating system is "worse than Heartbleed" and allows hackers to take control of a device just by sending a text message that might not even be detected by the user.

Dubbed "Stagefright", the security flaw allows cyber attackers to gain remote code execution privileges merely by having access to the mobile number of the Android smartphone user.

The discovery of Stagefright comes shortly after Computing research found that IT departments believe Android is the most problematic OS for enterprise deployment, with security of Android often cited as a key concern.

Stagefright was discovered by Zimperium zLabs VP of platform research and exploitation, Joshua Drake, and the mobile security firm described it as "the worst Android vulnerability discovered to date" as it critically exposes 95 per cent of the estimated one billion devices using the Google OS.

All Android devices after and including version 2.2 are vulnerable to Stagefright, with those running Jelly Bean at the worst risk due to inadequate exploit mitigations.

"If Heartbleed from the PC era sends a chill down your spine, this is much worse," said Zimperium researchers, who outlined their findings in a blog post.

Attackers can target any Android device which they have the mobile number of by and use it to remotely execute code via a specially crafted media file which is delivered by text message.

According to Zimperium, "a fully weaponized successful attack could even delete the message before you see it".

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited," warned security researchers from Zimperium.

"Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual - with a trojaned phone," they added.

Google has issued a statement saying that there are already patches available to fix the vulnerability, but the timescale of the rollout depends on the device manufacturers.

"We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," said Google.

"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device," the firm added.

Chris Wysopal, CISO and CTO of Veracode, argued that Google will need to act quickly to ensure the vulnerability is fixed on all devices as soon as possible, even if it means issuing the patch directly to all devices, rather than waiting for manufacturers of Android smartphones to implement it in their own time.

"It will be very interesting to see how Google responds to this. They'll have to drive the patch quickly and in a manner that impacts every affected device at the same time," he said.

"Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch.

"This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device," Wysopal continued.

"We're likely to see Google force down a tool that addresses the vulnerability for everyone," he added.

Computing's Enterprise Security & Risk Management Summit takes place on 26 November 2015 and is free to attend for qualified end users. Register here.