Giant security flaw makes 950 million Android phones vulnerable to texting hack
About 80 percent of smartphones worldwide run Android, and just about all of those have a major vulnerability in their software, according to experts at Zimperium, a cybersecurity company specializing in mobile devices.
What makes this problem a gaping security hole is that the victims don’t even need to be tricked into downloading or opening a bad file – attackers only need to send them a text message for the malware to take hold.
So apparently Android phones are going to be easy to hack just by text message.— Savage Storm (@SavageArtStorm) July 27, 2015
The issue stems from the way Android processes incoming text messages. Media playback software utilized by Android, called Stagefright, processes media files, such as images or video, sent to your device before you even open the message. Hackers can hide malware in those files, getting Stagefright to automatically unleash them onto your phone, thus giving attackers unfettered access to copy and delete data or use the camera, microphone, and GPS to track your every move.
“This happens even before the sound that you’ve received a message has even occurred,” Joshua Drake, a security researcher with Zimperium, told NPR. “That’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”
The issue affects any phone using Android software released in the last five years, according to Zimperium. That includes devices running Android’s alphabetically-coded versions, Froyo through Lollipop, which together account for 95% of the operating systems being used on all android phones – or 950 million devices.
This whole Android hack thing makes me glad when I'm using Windows. It's like I have the Battlestar Galactica & I'm immune to a Cylon virus— Matt (@clappenings) July 27, 2015
Zimperium said that it privately warned Google of the flaw on April 9, and even provided them with a fix. The company claims Google responded within 48 hours, saying that the bug would be patched in the near future.
Companies are often given a 90-day grace period to issue a fix in situations like this. It’s a guideline that Google itself abides by when it finds flaws in others’ software, according to CNNMoney.
Zimperium went public with the news because the fix hadn’t been made available 109 days later.
This is likely due to the fact that Android isn’t a single operating system like Apple’s iOS, making it difficult to address problems for the myriad devices using the operating system in one fell swoop. Google also has to deal with third parties such as phone carriers like Verizon, T Mobile and AT&T, as well as hardware manufacturers like Samsung and HTC.
Good luck waiting for Google & Carrier updates | Most Android phones at risk from simple text hack, researcher says http://t.co/rvv0dEzlW9— Jason O'Donoghue (@i_Jason) July 27, 2015
Google told CNNMoney that it has already sent a fix to these partners, but it remains to be seen if they have in turn released it to users themselves.