Giant security flaw makes 950 million Android phones vulnerable to texting hack

© Dylan Martinez
Android is by far the most dominant smartphone operating system in the world, and it has just been found to be vulnerable to a serious smartphone security flaw which allows devices to be hacked by simply sending them a text message.

About 80 percent of smartphones worldwide run Android, and just about all of those have a major vulnerability in their software, according to experts at Zimperium, a cybersecurity company specializing in mobile devices.

What makes this problem a gaping security hole is that the victims don’t even need to be tricked into downloading or opening a bad file – attackers only need to send them a text message for the malware to take hold.

The issue stems from the way Android processes incoming text messages. Media playback software utilized by Android, called Stagefright, processes media files, such as images or video, sent to your device before you even open the message. Hackers can hide malware in those files, getting Stagefright to automatically unleash them onto your phone, thus giving attackers unfettered access to copy and delete data or use the camera, microphone, and GPS to track your every move.

“This happens even before the sound that you’ve received a message has even occurred,” Joshua Drake, a security researcher with Zimperium, told NPR. “That’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”

The issue affects any phone using Android software released in the last five years, according to Zimperium. That includes devices running Android’s alphabetically-coded versions, Froyo through Lollipop, which together account for 95% of the operating systems being used on all android phones – or 950 million devices.

Zimperium said that it privately warned Google of the flaw on April 9, and even provided them with a fix. The company claims Google responded within 48 hours, saying that the bug would be patched in the near future.

Companies are often given a 90-day grace period to issue a fix in situations like this. It’s a guideline that Google itself abides by when it finds flaws in others’ software, according to CNNMoney.

READ MORE: 1.4mn vehicles recalled over remote hack vulnerability

Zimperium went public with the news because the fix hadn’t been made available 109 days later.

This is likely due to the fact that Android isn’t a single operating system like Apple’s iOS, making it difficult to address problems for the myriad devices using the operating system in one fell swoop. Google also has to deal with third parties such as phone carriers like Verizon, T Mobile and AT&T, as well as hardware manufacturers like Samsung and HTC.

Google told CNNMoney that it has already sent a fix to these partners, but it remains to be seen if they have in turn released it to users themselves.