Soon after Google announced a security update for the Stagefright vulnerability (a critical security bug) for its Nexus devices, a new bug has been reported that security researchers claim leaves Android device “dead”.
In their tests, researchers have found out that no ring or text tones will be heard if the vulnerability is leveraged, no calls can be accepted, the Android UI may become totally unresponsive, and if the phone is locked, the user won’t be able to unlock it anymore.
All Androids made in the last five years are at risk.
The malicious program that would attack Android is embedded in a short video, which will be sent to a person through a text message, according to a report from NPR.
But apparently, as the program processes the video, that would be the time that hackers take the opportunity to take control over the phone, hijacking it and stealing data.
Drake, Zimperium zLabs vice president of platform research and exploitation said that he discovered the flaw, codenamed Stagefright.
“Whatever means is used to lure in users, the likely payload is the same”, Trend Micro said.
“A fully weaponized successful attack could even delete the message before you see it. You will only see the notification”.
According to CNET, Zimperium told National Public Radio that hackers have not taken advantage of the Android flaw so far.
For the record, they went on to second the notion that StageFright is “much worse” than Heartbleed was, warning that phones running the oldest Droid revision to include the security flaw (version 2.2) are the most vulnerable to exploit, and the hardest to correct with patches. The company claims Google responded the very next day, assuring a patch would be shared with customers in the future.
Updating Android software powering mobile devices is controlled by hardware makers and sometimes telecommunication service carriers, not Google. Drake notified Google, which is now sending a fix to its mobile partners.
This poses a more serious threat since it’s easier to get a user to access a Web page than to install a potential unsafe app, which makes this vulnerability a new favorite for upcoming ransomware campaigns.
In the past, Android hackers have required the victim to do something wrong, like downloading a pirated app the hacker has laced with malicious software from a third party store, for their schemes to work.