Android bug could cause devices to appear ‘dead’

Creating a simple Web page that loads a malicious MKV file using an HTML5 video tag made Android devices crash the same way as they did when exploited using local apps.

Drake, Zimperium zLabs vice president of platform research and exploitation said that he discovered the flaw, codenamed Stagefright. Users don’t even have to play the video to give hackers access to everything including their data, microphone, camera and more.

Malicious code executed by hackers could take control of smartphones and plunder contents without owners knowing. One particular software, Stagefright has errors in the code that allows attackers send malware directly to any device where they know the contact number of the victim, explained Drake.

In their tests, researchers have found out that no ring or text tones will be heard if the vulnerability is leveraged, no calls can be accepted, the Android UI may become totally unresponsive, and if the phone is locked, the user won’t be able to unlock it anymore. The news, then, that there is an unpatched bug in all versions of Android from 4.3 “Jelly Bean” right through to the very latest Android 5.1.1 “Lollipop” – accounting for more than half of all Android devices in the wild – is unwelcome in the extreme.

Zimperium said it warned Google about the flaw on April 9 and even provided a fix. It recommended that users block messages from unknown senders and disable the “Auto Retrieve” function for multimedia messages.

Another cybersecurity expert quoted by CNN, Chris Wysopal of Veracode, joined in describing StageFright as the mobile-phone answer to HeartBleed, and offered the ominous opinion that if Google can’t figure out a way to push updates to all the affected phones soon, “we have a big disaster on our hands”. Once infected the hacker can basically take over their target’s phone. Blurting out the existence of something like StageFright the instant security experts discovered it could have dramatically increased the risk of hackers exploiting the bug, while Google could only immediately address a small percentage of Droid devices with speedy software fixes.

“We’ve discussed in the past how repackaged apps pose a problem for users who may have a hard time differentiating legitimate apps from repackaged ones”, Trend noted.