Do you own an Android? If so, your phone may be vulnerable to hacking.
It appears that Android phones can be hacked due to a flaw in the operating system’s Stagefright media pack, leading to a vulnerability in any phone running versions of the Android operating system between 2.2 and 4.
That encompasses a huge number of Android devices, meaning users whose phones haven’t been patched run the risk of their privacy and safety being compromised.
As Forbes put it Monday “Nearly 1 billion cell phones could be hacked with one text,” making this one of the worst security holes in Android history.
Forbes’ Robert Hackett writes:
“Should a hacker learn someone’s cell phone number, all it takes is for that person to send a malware-laced Stagefright multimedia message to an affected phone in order to steal its data and photos or to hijack its microphone and camera, among other nefarious actions. Worse yet, a user might have no idea that his or her device has been compromised.”
ThreatPost, a site run by the Kaspersky Lab Security News Service, reports:
“Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access.”
Stagefright processes several common media formats, and is implemented in native C++ code, which makes it easier to manipulate.
Researcher Josh Drake of Zimperium Mobile Security, also told ThreatPost:
“It’s a nasty attack vector. On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system. And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.”
Chris Wysopal, the chief tech and information security officer at Veracode, told Forbes the vulnerabilities pose a security issue for users “since they can be impacted without having clicked on a link, opened a file or opened an SMS.”
On the company’s official blog, the Zimperium Mobile Security Team also explained:
“This vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
Forbes said Drake reported the problems to Google this spring, and the company acted swiftly to find fixes for them. The company apparently added patches to its internal code branches within a matter of days. However, there’s a question whether all device manufacturers have adequately pushed these updates out to protect their customers.
Android Photo via Shutterstock
It’s crazy to me that something so simple (an MMS message) could be used to hijack so many functions of the phone. How do developers miss this kind of stuff?