Report: Android Vulnerabilities Put Devices At Risk For Remote Hacking
SAN FRANCISCO (CBS Sacramento)-- A new report reveals that vulnerabilities in the way Android processes media files may lead to hackers being able to attack devices.
Users may be tricked into visiting malicious web pages, leading to remote code execution on almost all devices that run Android, according to researchers from mobile security firm Zimperium.
The trouble starts with the way Android processes the metadata of MP3 audio files and MP4 video files. The files can be exploited when the system or another app that relies on Android previews the files, as reported by IT World.
Earlier this year, researchers found a similar vulnerability which allowed exploitation through a simple deceiving MMS message.
The issue prompted lead device manufacturers to the "single largest unified software update in the world," according to Android's lead security engineer, Adrian Ludwig.
One flaw discovered by Zimperium, called libutils, affects almost all devices running Android software older than 5.0. The vulnerability is said to affect over 1 billion devices, according to the report.
Since the MMS issue was resolved with new versions and other messaging apps, hackers are now seeking to go through web browsers to remotely gain access to users' phones, researchers say.
Experts say attackers may trick users into visiting sites that exploit the flaw through email links or malicious advertisements, some which are even displayed on legitimate websites.
The flaws were reported to Google by the firm on Aug. 15 and is due for a proof-of-concept exploit code release once the problem is resolved. The fix is scheduled for Oct. 5th as part of a new security update, according to Google.
"As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area," the Zimperium researchers said in their report. "Many researchers in the community have said Google replied to bugs they reported saying they were duplicate or already discovered internally."
