Zimperium recently released information about an Android vulnerability which makes it possible for an attacker to take over your smartphone and steal your information.
The worst part of the vulnerability is that the attacker only needs to know your mobile number.
The vulnerability, named Stagefright, is a media library that processes popular media formats.
“Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java,” said Zimperium.
The problems in Stagefright code expose 95% of Android devices, which is close to a billion phones.
Zimperium’s research found multiple remote code execution vulnerabilities that can be exploited using various methods.
The worst attacks require no user interaction. This means that an Android phone can be attacked by only knowing a user’s number, using remotely-executable code via a specially crafted media file delivered via MMS.
“A fully weaponized attack could even delete the message before you see it. You will only see the notification.”
“Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep.”
Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean are at the worst risk due to inadequate exploit mitigations.
Full details of the vulnerability are available on the Zimperium website.