How vulnerable, exactly, are Android phones to mobile app data theft? Based on recent research from mobile security expert Joshua Drake, 95% of Androids are potentially compromised by Stagefright, a media playback tool.
As you may have heard, 6 critical vulnerabilities in Android’s media tools have been identified, leaving the majority of these devices exposed to the attack.
What Are the Risks of Stagefright Vulnerability?
In a nutshell, Stagefright vulnerability allows attackers to deliver malware through a simple multimedia text (MMS). The “remote code execution” bugs in the tool enable hackers to send an exploit packaged as a Stagefright MMS, giving them the ability to:
- Write code to the device
- Execute mobile app data theft
- Record audio and video
- Hack Bluetooth connections
Worse still, Android users never have to open the MMS for the attack to transpire! Exploit code sent to the default MMS application Messenger doesn’t need to be played to be effective. When the exploit code is opened in Google Hangouts, it triggers and deletes itself before the user would notice a message was sent.
However, what’s most concerning isn’t the stealth of the Stagefright attack or the lack of user interaction required – but its ubiquity. Basically, every version of Android above 2.2 is vulnerable to mobile app data theft; in other words, 950 million smartphones are at risk! Unfortunately, patches will only be applied to the handful of versions which are actively maintained by device vendors.
The Implications of Stagefright for Enterprise Mobility
For organizations, especially enterprises, that support a BYOD policy or provide customers with robust service apps, this breach could potentially have grave implications – unless the necessary security mechanisms are in place. By sending exploits that escalate privileges and allow wider access across the infected phone, attackers could reach any applications or files available to customers or employees.
If your employees have access to sensitive company information – either through a file sharing app or the organization’s own mobile app – an infected phone could give hackers a gateway into your network.
If customers are using their credentials to access personal data on your systems (account details, medical data, etc.), those too can be compromised. This has far reaching implications not only for personal data that can be harvested – but also for enterprise compliance issues.
According to a recent Ponemon Institute study, 96% of enterprises are at least moderately concerned about malware on their networks, while only 75% are worried about a malware attack on their mobile devices. In fact, it’s often these less secure, roaming devices, that open an enterprise’s network up to attack.
Another issue is that manufacturers are extremely slow in getting patches out to their users. According to Forbes, none of the main Android partners – LG, Lenovo, Motorola, Samsung or Sony – have responded as to whether they’ve made patches available. This means that right now hackers have free reign to access devices that carry your enterprise’s critical data and applications.
The only way to prevent enterprise mobile app data theft is by encryption and imposing policies controlled by the real owners of the data. With such a widespread vulnerability as Stagefright, the only thing standing between your critical data and any number of malicious outsiders is your mobile app security strategy.