Around 950 million people around the world who use Android devices are at huge risk of being attacked by unscrupulous hackers who only need to send a single message to get control of their smartphones.
The new security flaw, called Stagefright, is a remote code execution bug that allows hackers to gain full access to and control of a device without the phone owner pretty much doing anything. Normally, most security flaws require users to do something, such as click a link or open a file. However, Stagefright works even before users do anything at all. Hackers only need to send an MMS to achieve their goal of infiltrating anyone else's device, as long as it runs on Android.
"Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep," says security firm Zimperium zLabs, whose Vice President of Platform Research and Exploitation Joshua Drake discovered the flaw. "Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual - with a trojaned phone."
Zimperium says that devices running on Froyo, Gingerbread and Ice Cream Sandwich, which comprise 11 percent of all Android users, are the most vulnerable, but users of Jelly Bean, KitKat and Lollipop are not home-free.
To make the situation even worse, there is nothing users can do about it except wait for their smartphone manufacturer and carrier to issue a patch. Google, which was contacted by Drake in April, has already issued a fix, but it is up to the manufacturers and carriers to release the patch to users. So far, only the security-minded manufacturer Silent Circle, which sells the Blackphone, and HTC have said they have already implemented the fix.
"Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July," an HTC person tells NPR. "All projects going forward contain the required fix."
The problem with updating Android devices is that, unlike iOS where more than 80 percent of all users have the most up-to-date version of the platform, Google cannot ensure all Android devices are patched. The job is left to the manufacturers and carriers, which have no financial incentive to patch phones after they have been purchased.
If there is a silver lining to all of this, the security researchers have yet to spot an instance of the flaw being exploited in the wild, although of course there is really no stopping hackers from doing so, especially now that the bug has been exposed.
Photo: David Recordon | Flickr