You may have seen news that a vulnerability has been discovered in Android software Stagefright, which lets attackers send malware directly to any device where they know the phone number.
Chris Wysopal, CISO and CTO at Veracode, the application security specialists commented on the news that a vulnerability has been discovered in Android software Stagefright.
Chris Wysopal, CISO and CTO at Veracode :
“This is Heartbleed for mobile – a remotely exploitable vulnerability that affects millions of Android-based phones and tablets. These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over. It will be very interested to see how Google responds to this. They’ll have to drive the patch quickly and in a manner that impacts every affected device at the same time. Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch. This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device. We’re likely to see Google force down a tool that addresses the vulnerability for everyone.”