Are you an Android phone user? Please pay attention as now it only takes one text message to hack an Android phone. Yes, you read that right!
A newly revealed glitch in the Android operating system is believed to be one of the most devastating hacks in the history of mobile software. The glitch has been found by a mobile security expert at the security firm Zimperium, who claims that the discovered vulnerability is in the code of Android media playback tool known as ‘Stagefright.’
The researcher has found a number of flaws which will allow the hacker to execute malicious code remotely that can be exploited using various methods. And you know what’s worst? It requires zero interaction from the targeted device. All the hacker need to have is just your mobile phone number.
For those of you who don’t know, Android is one of the most popular mobile operating systems globally and that’s the reason why almost eighty percent of the smartphones are based on it. And this recently discovered bug possibly impacts over 95 percent of the Android-based smartphones, an estimate of 950 million devices, leaving them vulnerable to the security threat.
Exploitation of the Vulnerability
The hacker can take control of an Android phone to steal data and spy on a user and all it takes it for the hacker is to send you one text message with a video attachment embedded with a malicious code. You don’t even need to open a text message or play the video to be infected.
This vulnerability is being referred to as Stagefright which is named after the Android software that reads media files.
Actually the problem lies in how Android reads the video embedded in a text message. There is some messaging app on Android, like Google Hangouts, which may read the video files even before you open it and thereby affect you before you even receive a notification for a new text message.
Joshua Drake, a security researcher at Zimperium, said:
“This happens even before the sound that you’ve received a message has even occurred […] that’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging app, Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it.”
Once a text message has been successfully received, the hacker can copy and/or delete data from the phone, and can even gain access to your phone’s microphone and camera to spy on you. In a nutshell, once your device is infected, the hacker will get a complete control over your device with an access to everything.
“It’s really up to their imagination what they do once they get in,” – Joshua Drake
The researcher said that, in total, there are seven serious vulnerabilities. But he has also confirmed that these vulnerabilities have not been exploited yet.
There were about 7 known vulnerabilities within the Android software’s piece of code known as Stagefright. And upon reporting, each one of them was recognized by Google and they assigned it with the following CVEs, which is a unique number used by Google to record and identify vulnerabilities:
Considering the severity of the issue, the security team over at Google responded positively and promptly and the patches were released within a couple of days, but, unfortunately, the manufacturers are slow in releasing patches to their devices.
“Zimperium not only reported the vulnerability to the Google teams, but also submitted patches. Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”
And now, since these CVEs and details about the vulnerability has been made public, the security researchers, as well as the malicious hackers, will be having enough information to exploit the vulnerabilities.
Google’s Reaction and the Bug Fixes
Joshua Drake, a researcher who discovered these critical bugs, said that before making this news publicly available, all of the seven bugs were reported to Google and the fixes were scheduled in no time.
The first batch was reported in April of this year. And within a day, he received a confirmation message from Google that the bugs are recognized and would be patched in the future software release.
Then Drake reported the second set of vulnerabilities to Google at the beginning of May and like previously, Google responded within a couple of days to confirm that the patches for reported bugs have been scheduled.
FORBES got in touch with a spokesperson at Google, who while thanking Drake for his efforts said:
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Drake, the author of Android Hacker’s Handbook, told FORBES that even though all the bugs were reported to Google and the patches were released to the partners but most of the partner manufacturers have not released the fixes for the devices.
“All devices should be assumed to be vulnerable,” – Joshua Drake
Drake also told that there are numerous mobile phone manufacturers who have a partnership with Google, but no one knows how much time they are going to take to release updates. According to his estimates, out of 95 percent (950 million devices), as few as 20 percent will get fixed and the “optimistically” the percentage could go up to 50 percent.
One SMS and your Android device will be hacked
But still, even if 50 percent of the devices receive bug fixes from the manufacturers, there would be about 45 percent i.e. more than 400 million of the devices left vulnerable.
The researcher has also found out that only Android phones running version 2.1 and below will remain invulnerable.
Response from the Smartphone Manufacturers
Drake did get confirmation from a kind manufacturer, Silent Circle, who is a creator of the privacy-focused smartphone called “Black phone”, released the patched version for their phones “weeks ago”.
— Silent Circle (@SilentCircle) July 27, 2015
HTC responded to FORBES that:
“Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
Google confirmed FORBES that the software update for their Nexus phones would not be released until next week. They said:
“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at Black Hat.”
Report typos and corrections to firstname.lastname@example.org