Skip to main content

Text Message Could Hijack Your Android Phone

Malicious Code Can Execute on Reciept or During a Multimedia Preview Image: Zimperium Blog

Malicious Code Can Execute on Reciept or During a Multimedia Preview Image: Zimperium Blog

UPDATED Wed., July 29 with Google statement.

All a hacker needs to get access to most Android phones is the telephone number tied to the device, according to security researcher Joshua Drake. Exploits Drake revealed today (July 27) don't require a user to open a corrupted website or download a malicious attachment; a phone simply needs to be able to accept texts and have Stagefright (Android's default media playback engine) installed. 

Drake is the VP of Platform Research and Exploitation at Zimperium, a mobile-security firm based in Tel Aviv and San Francisco. A Zimperium company blog post stated that the Stagefright flaws are "the worst Android vulnerabilities discovered to date," due in part to how widespread Stagefright is. They estimate "95 percent of Android devices, an estimated 950 million devices," are at risk until a patch is applied.

MORE: Android M: Top New Features Explained

Stagefright, which has been a part of Android the release of Android 2.2 Froyo in 2010, is still present in the current Android 5.1.1 Lollipop. Regarding the upcoming version of Android, Drake pointed out on Twitter that "Android M uses Stagefright," though he assured users that they should not worry, continuing by saying "I expect that the release version of Android M will ship with these bugs fixed already."

More recent versions of Android have been engineered to keep application data separated, but the further back one's device is in the platform's history, the more access hackers could gain to one's phone. The turning point for Android security seems to be around Android 4.1 Jelly Bean, with Zimperium noting that pre-4.1 devices "(roughly 11 percent of devices) are at the worst risk due to inadequate exploit mitigations."

(The Zimperium post noted that SilentCircle's Blackphone handset, which runs a customized, "hardened" version of Android called PrivatOS, was already protected against Stagefright exploits.)

While Google worked with Drake to deftly create a patch to fix the Stagefright flaws, users now need Android device manufacturers to push the update down to devices. Those who have watched carriers and manufacturers take ages to issue updates may not hold their breath waiting for the fix.

Not only are devices running older software more at risk, but according to Zimperium, "Devices older than 18 months are unlikely to receive an update at all."

UPDATE: Google on July 28 issued a statement on the Stagefright flaws to various media outlets.

"This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected," the statement said. "As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users."

"As part of a regularly scheduled security update," the statement continued, "we plan to push further safeguards to Nexus devices starting next week. And we'll be releasing it in open source when the details are made public by the researcher at Black Hat."

Henry T. Casey is a staff writer at Tom's GuideFollow him on Twitter @henrytcasey. Follow us @tomsguide, on Facebook and on Google+.