Nasty Bug Lets Hackers Into Nearly Any Android Phone Using Nothing But A Message


It’s like something from a bad movie: eager to learn the details of the bad guy’s dastardly plot, the good guys hack his phone armed with little more than knowledge of his phone number. No physical access to the phone, no tricking him into opening some shady application; just a quick message sent to his phone, and bam — they’re in.

Alas, that’s essentially how a new Android hack works, according to researchers… and the vast majority of Android devices are vulnerable.

Here’s the breakdown:

  • Researchers at Zimperium Mobile Labs, where it was discovered by VP of Platform Research and Exploitation Joshua Drake, claim that up to “95% of Android devices” are vulnerable.
  • To initiate the attack, the hacker sends a maliciously modified video message. The message is able to circumvent Android’s sandboxing security measures and execute remote code — at which point they’d have near-full access to your device, its storage, its camera and microphone, etc.
  • The hack is being referred to as “Stagefright.” “Stagefright” is also the media library that Android uses to process video, and is the bit of code being exploited here.
  • In many cases, the device will start processing the message without the user opening the message manually. Just receiving the message is enough to get the ball rolling.
  • Worse yet, an attacker could theoretically delete the message themselves as soon as they’ve executed the attack, leaving behind no trace but a notification that most would quickly swipe away with no idea that their device is now under an attacker’s control.
  • The bug is said to have been introduced in Android v2.2 (Froyo), but Zimperium has successfully tested it on builds as recent as the latest release, Android 5.1.1 (Lollipop). Devices running a build older than Jelly Bean (4.1) are said to be most vulnerable.

The good news: the bug can be fixed with an over-the-air update, and Google already has a patch ready to go.

The bad news: It’s up to device manufacturers to send out the patch, and… well, that can take a while. If you’ve got an older phone that hasn’t been updated in ages — as is the case for nearly 11 percent of active Android phones (those still running Froyo, Gingerbread, or Ice Cream Sandwich) — it’s feasible that it won’t get a patch at all.

It is currently unclear what, if anything, Android users can do to protect themselves from this exploit in the meantime. If a confirmed method is found, we’ll share it with you.

When asked for comment, a Google spokesperson replied with the following:

“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.

Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”