Researchers have developed an attack that puts more than 50 percent of Android phones into the digital equivalent of a persistent vegetative state in which they're almost completely unresponsive and are unable to perform most functions, including making or receiving calls.
The vulnerability, which resides in the mediaserver service Android uses to index media files, can most easily be exploited by luring a vulnerable phone to a booby-trapped website. Presumably, the phone can be revived by restarting it, but according to a blog post published Wednesday by a researcher from security firm Trend Micro, the bug can also be exploited by malicious apps. In this latter scenario, the malicious app could be designed to automatically start each time the phone is turned on, causing it to crash shortly after each restart.
Trend Micro researcher Wish Wu wrote:
The vulnerability affects Android versions 4.3 through the current 5.1.1, accounting for about half of the Android user base. The bug surfaced two days after separate researchers warned that an estimated 950 million Android phones can be hijacked by being sent a simple text message. The so-called Stagefright bug is more serious because it allows attackers to pilfer audio, video, and other personal data from handsets and, in some cases, allows the execution of malicious code. What's more, in many cases, Stagefright attacks require no end-user interaction at all for the vulnerability to be exploited.
No comments:
Post a Comment