How hackers can take control of your Android with one text message

A flaw in the Android operating system could give hackers easy access to 95% of Android devices, according to cyber security firm Zimperium. 

Gustau Nacarino/Reuters
A hostess displays the Samsung Galaxy S6 Edge smartphone during the Mobile World Congress in Barcelona March 2, 2015.

Security researchers have exposed what experts are calling the worst Android flaw discovered to date. 

According to research conducted by Joshua Drake of the cyber security firm Zimperium, a vulnerability in an Android component used to display media, called "Stagefright," allows hackers to take control of your smartphone by sending one text message with a malicious media file attached. 

Because Stagefright automatically pre-loads videos attached to MMS messages, there is no way to prevent these attacks. 

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Zimperium wrote in a blog post, adding that “this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”   

Android is the the world’s most popular smartphone operating system and 95 percent of Android devices – about 950 million smartphones and tablets – are at risk, according to Zimperium.

"On some devices, the privileges at which this runs means an attacker could access all kinds of content on your device or access resources such as the camera," said James Lyne, global head of security research at security company Sophos, to the BBC.

It does not appear that any hackers have taken advantage of the flaw yet, but Zimperium and Google aren’t taking any chances. Zimperium has reported the problem to Google and provided the tech company with patches to prevent breaches.

"Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment," Zimperium said.

Unlike Apple, which controls the hardware and software on its iPhones, Google provides its latest version of Android to manufacturers who are then able to tweak it to their liking. This makes updating devices using the operating system a much greater challenge, and doesn’t guarantee that the patch will actually reach all Android users.

Often, manufacturers choose not to fix phones already sold because the company can save money by not providing updates, according to Collin Mulliner, a senior research scientist at Northeastern University. 

In other words, if your phone is hacked because updated software is not made available, “Google is not the actual one to blame," Mr. Mulliner told NPR. "It's ultimately the manufacturer of your phone, in combination possibly with your carrier.” 

Some manufacturers have taken months to issue critical patches in the past, according to Vice’s Motherboard blog. And “at times, for devices older than a year or 18 months, patches never come.” 

To find out what kind of risks your Android faces, Zimperium suggests that consumers “contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated [with] the requisite patches.” 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.