If you were looking for any more proof that Android is the new Windows, look no further: A newly-discovered set of security vulnerability in the mobile OS has placed almost one billion users at risk. And all a hacker needs to do to compromise your handset is to send you a text message.
The flaw was uncovered by security researchers at Zimperium. It is the biggest smartphone flaw ever discovered.
“The leading smartphone operating system carries a scary code in its heart named Stagefright,” the researchers explain. “We believe these to be the worst Android vulnerabilities discovered to date. These issues in Stagefright code critically expose 95 percent of Android devices, an estimated 950 million devices.”
To compromise your Android handset, all a hacker needs is your cell phone number, Zimperium says. Then, they can send a specially-crafted media file via MMS text message that will remotely execute code and compromise the device. Worse still, you don’t even need to view the media file: when the message is received, Android will display notifications that trigger the code. It’s even possible that by the time you go to look at the message, the attack could have deleted the message. You may never even know what hit you.
The reason this happens is that Android processes incoming media files in text messages before you even see them, for performance reasons. But this means that malicious code can infect the system as soon as it hits the phone, too.
To be clear, just copying a specially-made media file onto an Android handset could trigger an attack, this isn’t just an MMS issue. It’s just that MMS is the scariest method for being infected because it requires no action from the user.
According to Zimperium, all Android versions 2.2 and newer are susceptible to this attack. But devices running Android versions older than Jelly Bean (which is about 11 percent of all Android devices) are at even worse risk due to “inadequate exploit mitigations.”
Zimperium says it alerted Google to the issue in April and that Google, to its credit, “acted promptly and applied the patches to internal code branches within 48 hours.” And Google has since publicly acknowledged the flaw and says it has sent a fix to its partners, which include both hardware makers and wireless carriers.
But as the security firm notes, this is only the beginning of what will be a very lengthy process of update deployment. Given the current situation with Android software updating—where most carriers don’t even bother to deploy updates, especially to older devices—it’s very likely that many handsets will never even receive the needed patch. Zimperium’s Joshua Drake estimates that only 20 to 50 percent of Android handsets will actually be patched.
The Stagefright vulnerability is very similar to a similar issue that stung the iPhone back in May in that there was a vulnerability in Apple’s messaging code related to notifications. But thanks to Apple’s tighter control of iOS—it can deliver security updates to all of its users at will—that vulnerability was quickly fixed.