A security flaw in Google's Android mobile operating system allows attackers to take control of someone's device just by sending a text message – and the recipient doesn't even have to open it.
While Google has released a patch for the widespread vulnerability found in its Stagefright multimedia playback engine in the Android OS, the fix won't help millions of users with older versions of the system that Google no longer supports. Android has deployed Stagefright since its 2.2 release in 2010.
But perhaps more concerning than this flaw is the fact that Stagefright seems so poorly coded that it's ripe for other major security issues, says Joshua Drake, senior director of platform research and exploitation at the cybersecurity analytics firm Zimperium.
"My only reservation about calling this bug the Stagefright bug is that I highly doubt this is the last time we’ll have to talk about Stagefright," says Mr. Drake, who publicly revealed the vulnerability on Monday.
Google declined to comment about the quality of Stagefright code or the testing practices to evaluate the code for security flaws. The company did, however, release a statement thanking Drake for work in revealing the vulnerability.
One use for Stagefright is preprocessing videos sent over text message or through some third-party apps. The bug in the multimedia engine means that attackers could send a text message with a malicious video file and infect the mobile device without a recipient actually clicking to open the file.
“[A hacker] could even delete that text message and delete the evidence of the attack,” says Drake.
By exploiting this vulnerability, an attacker could gain control over Bluetooth, video, audio, and the microphone – enough to turn a phone into a spycam. On many phones, an attacker could gain complete control of the device.
News of the Stagefright bug also raises questions about Google's update policy for the Android operating system. Currently, Google provides patches the two most recent operating systems it still supports – KitKat and Lollypop.
Unlike the Apple iPhone, in which 84 percent of users run the current operating system, Android users regularly lag behind in updates. Only around half of the 1 billion Android users run Lollipop or KitKat, meaning some 500 million phones still susceptible to the Stagefright attack.
Security professionals have long been critical of Google over its Android update practices. When bugs affect Android versions that Google still supports, the company writes a patch, sends it to phone manufacturers, and counts on companies such as Samsung or Motorola to update their customers' phones. But many manufacturers do not treat updates with urgency. If a bug affects a version of Android that Google no longer supports, phone manufacturers can develop patches on their own, but few ever do.
"The problem is that devices sold today have no warning system as to if they will ever be updated," says Todd Beardsley, research manager at the security firm Rapid7.
While it’s possible to change Androids settings to prevent the phones from automatically downloading video from text messages, that still may not be a complete fix for Android users who don't receive the patch for their phones, says Drake, the Zimperium researcher. “The best I can say to people without the patch is to make sure they trust anyone with their phone number."