How to Hack Millions of Android Phones Using Stagefright Bug, Without Sending MMS by Swati Khandelwal.
From the post:
Earlier this week, security researchers at Zimperium revealed a high-severity vulnerability in Android platforms that allowed a single multimedia text message to hack 950 Million Android smartphones and tablets.
As explained in our previous article, the critical flaw resides in a core Android component called “Stagefright,” a native Android media playback library used by Android to process, record and play multimedia files.
To Exploit Stagefright vulnerability, which is actively being exploited in the wild, all an attacker needed is your phone number to send a malicious MMS message and compromise your Android device with no action, no indication required from your side.
…
Security researchers from Trend Micro have discovered two new attack scenarios that could trigger Stagefright vulnerability without sending malicious multimedia messages:
- Trigger Exploit from Android Application
- Crafted HTML exploit to Target visitors of a Webpage on the Internet
These two new Stagefright attack vectors carry more serious security implications than the previous one, as an attacker could exploit the bug remotely to:
- Hack millions of Android devices, without knowing their phone numbers and spending a penny.
- Steal Massive Amount of data.
- Built a botnet network of Hacked Android Devices, etc.
“The specially crafted MP4 file will cause mediaserver‘s heap to be destroyed or exploited,” researchers explained how an application could be used to trigger Stagefright attack.
…
Swati has video demonstrations of both of the new attack vectors and covers defensive measures for users.
Does the presence of such a bug in software from Google, which has access to almost unlimited programming talent and to hear its tale, the best programming talent in the business, make you curious about security for the Internet of Things (IoT)?
Or has Google been practicing “good enough” software development and cutting corners on testing for bugs and security flaws?
Now that I think about it, Android is an open source project and as we all know, given enough eyeballs, all bugs are shallow (Linus’s Law).
Hmmm, perhaps there aren’t enough eyes or eyes with a view towards security issues reviewing the Android codebase?
Is it the case the Google is implicitly relying on the community to discover subtle security issues in Android software?
Or to ask a more general question: Who is responsible for security checks on open source software? If everyone is responsible, I take that to mean no one is responsible.