Earlier this week, security researchers at Zimperium revealed a high-severity vulnerability in Android platforms that allowed a single multimedia text message to hack 950 Million Android smartphones and tablets.

As explained in our previous article, the critical flaw resides in a core Android component called "Stagefright," a native Android media playback library used by Android to process, record and play multimedia files.

To Exploit Stagefright vulnerability, which is actively being exploited in the wild, all an attacker needed is your phone number to send a malicious MMS message and compromise your Android device with no action, no indication required from your side.

Hacking Without Knowing Phone Number

But, Now you Don't even require the mobile numbers of your victims to infect their devices, a recent research claimed.

In the previously known attack scenario, an attacker can exploit Stagefright vulnerability only against his/her known contact numbers. That means the attacker needs phone numbers of the targeted Android devices.

Such Attack Scenario is not practically possible, because in case attackers want to infect large number of audience they require bulk phone numbers of the targeted devices, even if they have Million dollar balance to send large number of National/International MMS.

New Ways to Trigger Stagefright Vulnerability

Security researchers from Trend Micro have discovered two new attack scenarios that could trigger Stagefright vulnerability without sending malicious multimedia messages:
  • Trigger Exploit from Android Application
  • Crafted HTML exploit to Target visitors of a Webpage on the Internet
These two new Stagefright attack vectors carry more serious security implications than the previous one, as an attacker could exploit the bug remotely to:
  • Hack millions of Android devices, without knowing their phone numbers and spending a penny.
  • Steal Massive Amount of data.
  • Built a botnet network of Hacked Android Devices, etc.
"The specially crafted MP4 file will cause mediaserver's heap to be destroyed or exploited," researchers explained how an application could be used to trigger Stagefright attack.

Video Demonstration: 'App' Attack Vector

And to trigger if from a web page for all its visitors, "We embedded the same malformed MP4 file (named mp4.mp4) into an HTML file as below, which is then uploaded to a web server." researchers say.

Video Demonstration: 'HTML WEBPAGE' Attack Vector

"An attacker would be able to run their code with the same permissions that mediaserver already has as part of its normal routines."
Here's one thing you need to know that the previous attack vector required no end-user interaction to exploit the flaw, but the new attack vectors required user interaction to either download the malicious Android app or land the victims on the specially crafted web page.

However, the users can protect themselves from previous MMS attack by turning off MMS auto-retrieval and using 3rd party patched apps to view MMS.

As it's easy for users to fall for one of the two new attack vectors, the latest attacks cause more severe impact on the targeted Android devices, and also can be used to target large number of audience.

Google has delivered a patch for Stagefright attack but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.