This morning, researchers at Zimperium Mobile Security announced a new vulnerability in Android, targeting the multimedia messaging system. Dubbed "Stagefright," the vulnerability affects roughly 950 million Android devices worldwide, according to researcher estimates, although the most vulnerable devices are those running pre-Jelly Bean versions of Android. Google has released a patch for the vulnerability to manufacturers, but most have not yet pushed that update to customers.
Zimperium hasn't released all the details of the attack, pending a more detailed presentation at the Black Hat conference next month, but it appears to target how Android processes video, specifically in the phone's MMS messaging capability. Attackers could exploit that vulnerability sending out malicious code disguised as a video message. Once the exploit takes hold, an attacker would gain the power to execute code remotely, compromising the phone's microphone, cameras, or any number of other core functions. In the most vulnerable cases, a user would not even have to interact with the message in order for the code to execute.
Google seems to have had little difficulty in coding a patch for the vulnerability, but deploying that patch may prove very difficult, given the widespread fragmentation in the Android ecosystem. With only 12 percent of devices running the latest version of Android, many carriers simply aren't deploying updates for Android phones on their network, creating long-standing patch deployment problems. Typically, those have been solved with application-level updates, but a function as fundamental as MMS may prove more challenging for Android's security team.