Android video engine leak makes cracking devices easy – update

A security problem in Android means that a malicious person only needs to know someone’s phone number to gain access to his system in many cases. It is unclear if there is already a patch for the problem.

Details about the security issue are not yet available. It is clear that this is a security problem in the Stagefright framework in Android, which is responsible for playing videos. An attacker can hide malware in the video, which is loaded as soon as the video is started. In addition, an attacker is given far-reaching powers: for example, he can activate the microphone and camera or ‘tap’ the screen.

In the case of Hangouts, for example, videos are directly processed by Stagefright, so that the malware is activated immediately upon receipt. A victim therefore does not have to start a malicious video himself. Security researcher Joshua Drake of Zimperium, who discovered the problem, tells NPR that Android’s default messaging app must load videos before they can cause damage. It is not clear whether apps such as WhatsApp and Telegram also do this, or whether videos directly load like Hangouts.

Also, the bug can be exploited by attackers on the Internet, by serving videos containing malware to potential victims. This can be done, for example, through malicious advertisements. That way, large numbers of Android users can be infected with malware.

In addition, it is unclear whether the issue has been patched. According to researcher Drake, Google has adopted its patches, but it is not clear whether they are present in the most recent Android version. What is certain is that many Android devices are not patched: because manufacturers usually adjust software updates for Android themselves, it can take months before they get a patch, if the hardware is still supported at all. However, some functionality in Android is housed in Play Services, so that it can be updated via the Play Store.

At this time, the issue is not actively exploited, but that may change now that the bug is revealed. Drake will reveal more details about the vulnerability at the Black Hat security conference in Las Vegas next week.

Update, 10:19: Google says that patches have been released and that they can be rolled out by manufacturers. This indicates that a patch is already available for Nexus devices.