On Tuesday, a major security loophole in the Android mobile operating system was detected, which reportedly allows hackers to exploit and control the system via a text message and the user's mobile number. Cybersecurity firm Zimperium on Monday warned of the reported security flaw that could potentially hack one of the world's popular mobile operating systems, a report from Yahoo stated.
According to Yahoo, an Android code tagged as "Stagefright" was identified to be the main culprit of the problem. The malicious code has been reported to automatically pre-load video snippets that were attached to a text message.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual - with a trojaned phone," Zimperium explained via a blog post on Monday.
Zimperium researcher Joshua Drake, in a related report from NPR, explained that a hacker will only create a short video and embed a malware inside the video and forward it to a user's number. As soon as the video is received by the phone, "it does its initial processing, which triggers the vulnerability."
The report claims that messaging apps such as Hangouts will eventually process the video, but Drake stressed that such set-up potentially invites the malware. He emphasized that using a native messaging app will lessen the impact of malware.
"You would have to view the text message before it processes the attachment. It does not require in either case for the targeted user to have to play back the media at all," Drake explained.
Zimperium claimed that Google was already aware of the issue and the company has reportedly provided patches to prevent further escalation of the problem.
"Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment," Zimperium said as quoted in the Yahoo website.
