28-07-2015. IT News reports that code already present on Android phones from version 2.2 onwards is vulnerable to memory corruption and can be exploited to fully compromise the device.
The security researcher who discovered the code, Joshua Drake from Zimperium, says that specially crafted exploits only need the phone number of the phone in order to execute. A weaponised MMS is sent that can even be automatically deleted once the code is installed and executed.
It takes advantage of code already present on the phone, called Stagefright, to install and execute.
Google patched the issue within 48 hours of notification, but is reliant on your phone carrier to issue updates so for the time being, the vulnerability still exists worldwide on up to 950,000,000 phones.
Drake has so far not disclosed the working method he used to demonstrate the hack. He will talk on the exploit at a Blackhat convention in August.
What reward did Google offer for the offer to save it from a huge problem? $1,000. He eventually talked them up to $1,337. Equivalent to a touch over 2 Google shares. At that price and considering the potential for damage and reward if used for the wrong purposes, I think they’re lucky he gave it to them…
Interestingly, he used to work for Rapid 7, the developer of Nexpose software, which we use to find vulnerabilities in networks.
James Walker
