One Simple Text Can Hack 950 Million Android Devices

Your Android phone may be vulnerable to text hacking just by the attacker having your cell phone number. Zimperium, a security research firm, reported that the attackers can remotely execute code through a specially crafted media file delivered via MMS.

Android devices with operating systems from 2.2 to 5.1, which includes Lollipop and KitKat, are affected by the security bug. That’s more than 950 million Android phones and tablets today, or 95% of Android devices.

Why the bug is more complicated than you think

Deleting and not opening the message seem to be an easy solution; however, the vulnerability is more challenging than it seems. Even before the user gets to read the message, it could have already been deleted with nothing save from a notification alert on the smartphone.

Without the user even being aware that his phone has been compromised, any signs of the virus have already been removed.

A dangerous text message

A media playback tool in Android called Stagefright is where the vulnerability resides. Stagefright is a core component in Android devices and is used to process, record, and play multimedia files such as PDFs.

Just by having your cell phone number, the hacker can send a malicious message via MMS and it can quietly infiltrate the device even without no action from the user.

Once the hackers get control of the Android device, they can exploit it via “remote code execution” bugs, which allow them to collect private data and execute several functions. They can turn on the microphone and camera and record audio and video, take and download photos, read emails and Facebook messages, and reroute calls.

“Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” – Zimperium’s blog post “Experts Found a Unicorn in the Heart of Android”

Zimperium tested how a Nexus 5 running the latest version, Android Lollipop 5.1.1, reacted to the attack.

zimperium screenshots

Source: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

Android devices running Jelly Bean and older versions (11 percent of devices) are the most vulnerable because there are no recent security updates made on these.

What’s being done about it

Zimperium reported the bug to Google and also submitted patches. Google applied the patches immediately and sent them to device manufacturers, but it may take a long time for companies such as Samsung or Motorola to update customers’ phones. It is unknown how long it will take for the update process to be completed.

Silent Circle has patched the issue in its Blackphone, as well as Mozilla, which uses Stagefright code in Firefox OS.