Security researchers have exposed what experts are calling the worst Android flaw discovered to date.
According to research conducted by Joshua Drake of the cyber security firm Zimperium, a vulnerability in an Android component used to display media, called "Stagefright," allows hackers to take control of your smartphone by sending one text message with a malicious media file attached.
Because Stagefright automatically pre-loads videos attached to MMS messages, there is no way to prevent these attacks.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” Zimperium wrote in a blog post, adding that “this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Android is the the world’s most popular smartphone operating system and 95 percent of Android devices – about 950 million smartphones and tablets – are at risk, according to Zimperium.
"On some devices, the privileges at which this runs means an attacker could access all kinds of content on your device or access resources such as the camera," said James Lyne, global head of security research at security company Sophos, to the BBC.
It does not appear that any hackers have taken advantage of the flaw yet, but Zimperium and Google aren’t taking any chances. Zimperium has reported the problem to Google and provided the tech company with patches to prevent breaches.
"Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment," Zimperium said.
Unlike Apple, which controls the hardware and software on its iPhones, Google provides its latest version of Android to manufacturers who are then able to tweak it to their liking. This makes updating devices using the operating system a much greater challenge, and doesn’t guarantee that the patch will actually reach all Android users.
Often, manufacturers choose not to fix phones already sold because the company can save money by not providing updates, according to Collin Mulliner, a senior research scientist at Northeastern University.
In other words, if your phone is hacked because updated software is not made available, “Google is not the actual one to blame," Mr. Mulliner told NPR. "It's ultimately the manufacturer of your phone, in combination possibly with your carrier.”
Some manufacturers have taken months to issue critical patches in the past, according to Vice’s Motherboard blog. And “at times, for devices older than a year or 18 months, patches never come.”
To find out what kind of risks your Android faces, Zimperium suggests that consumers “contact your device manufacturer and/or carrier to ascertain whether or not your particular device has been updated [with] the requisite patches.”