The battle against hacking and malware is never ending, and just when you think you’ve closed one vulnerability another crops up to take its place. No doubt that’s what’s going through the collective heads at Google right now as yet another Stagefright-style security flaw has been discovered in the tech giant’s Android operating system. For anyone who may have missed it, the original Stagefright was a weakness in Android’s system code (specifically the MMS code) that could be exploited by hackers to gain control over the user’s handset. The vulnerability was present in every operating system going back to Android 4.3, potentially putting a billion smartphones at risk. To their credit, Google was quick to develop a patch to fix the problem, never realizing that a second vulnerability was waiting in the wings.
Just as Google was sending out the patch for Stagefright, security experts at Trend Micro discovered yet another flaw in Android’s system code. Like the original Stagefright, the newly discovered vulnerability lurks in Android’s media server component, which handles all of the smartphone’s media files. This new bug specifically affects the AudioEffect library, and hackers could conceivably exploit it using malicious applications to execute arbitrary code, essentially hijacking the user’s device. This would not only compromise the smartphone’s system operations, but could potentially put the user’s personal data at risk. Perhaps more troubling then the bug itself, is the wider reaching security implications. Where the Stagefright vulnerability was only present in operating systems reaching back to Android 4.3, this new flaw exists in every mobile operating system going back to 2010’s Android 2.3.
The AudioEffect Bug
Still, there are some significant differences between Stagefright and the newly discovered AudioEffect bug. As detailed at MobilePhoneDeals.co.uk, Stagefright can be exploited by simply sending an infected video to the desired smartphone, and an attack can take place even if the user never opens the file. But the AudioEffect bug requires some interaction on the part of the user themselves; they must either visit a malicious website, or download a malicious app. While this might seem easy enough to avoid, it’s often more difficult than it sounds. Hackers have a wide range of techniques designed to lure people to malicious sites, and few of us are as circumspect as we should be when surfing the net. Malicious apps are, perhaps, an even greater hazard. With more and more free apps being repackaged and re-purposed, it can be extremely hard to verify their safety or authenticity. Moreover, many free apps do not require the user to grant any permissions before installation, and it is these apps that provide the perfect opportunity for hackers to piggy back into the Android operating system via the AudioEffect vulnerability.
Detection and Protection
Further exacerbating the AudioEffect problem, is the difficulty in detecting the malware itself. Once the malicious software is installed on a device, it may lay dormant for weeks or even months, only to be activated at the whim of the hacker. It’s a troublesome scenario to say the least, and one that could leave billions of Android users vulnerable to attack. However, Google have tackled the problem head on, assigning it the reference CVE-2015-3842, and giving it a ‘high severity’ rating. The have developed a patch to address the bug, which should be included in the upcoming monthly Android update. Of course the update may take some time to reach consumers, depending on their mobile plans and their network operator’s policies. Until then, security experts recommend that Android protect themselves by installing independent security software on all of their devices, or update their existing anti-virus and malware protection programs.
The AudioEffect bug is inherent in every iteration of Android OS since Gingerbread 2.3, and that has the potential to put billions of smartphones at a heightened risk for attack via malicious software. Fortunately, the flaw has been uncovered and Google has taken the necessary steps to eliminate the vulnerability. Still, it highlights a growing problem, not just with Android but with all smartphone operating systems. As system code becomes more complex there are more opportunities for errors to be written into that code that may provide easy access for hackers and cyber criminals. It’s a chilling thought, particularly as we rely more and more on our smartphones for everything from keeping our daily work diaries to monitoring our health. Now, more than it ever, security should be paramount in every smartphone owner’s mind.
Must Visit : The Future of Play: Are Game Consoles Dead?