As explained in our previous article, the critical flaw resides in a core Android component called "Stagefright," a native Android media playback library used by Android to process, record and play multimedia files.
To Exploit Stagefright vulnerability, which is actively being exploited in the wild, all an attacker needed is your phone number to send a malicious MMS message and compromise your Android device with no action, no indication required from your side.
Hacking Without Knowing Phone Number
But, Now you Don’t even require the mobile numbers of your victims to infect their devices, a recent research claimed.
In the previously known attack scenario, an attacker can exploit
Stagefright vulnerability only against his/her known contact numbers.
That means the attacker needs phone numbers of the targeted Android
devices.
Such Attack Scenario is not practically possible, because in case
attackers want to infect large number of audience they require bulk
phone numbers of the targeted devices, even if they have Million dollar
balance to send large number of National/International MMS.
New Ways to Trigger Stagefright Vulnerability
Security researchers from Trend Micro have discovered two new attack scenarios that could trigger Stagefright vulnerability without sending malicious multimedia messages:
- Trigger Exploit from Android Application
- Crafted HTML exploit to Target visitors of a Webpage on the Internet
These two new Stagefright attack vectors carry more serious security
implications than the previous one, as an attacker could exploit the bug
remotely to:
- Hack millions of Android devices, without knowing their phone numbers and spending a penny.
- Steal Massive Amount of data.
- Built a botnet network of Hacked Android Devices, etc.
“The specially crafted MP4 file will cause mediaserver‘s heap to be destroyed or exploited,” researchers explained how an application could be used to trigger Stagefright attack.
Post a Comment
Post a Comment