While hacking is not that easy as it looks in the movies, it’s certainly possible. Android is still one of the preferred operating systems for hackers, because it’s really worth hacking it: about 80% of smartphones are running on Android.
Recently, we learned about a significant number of apps that are susceptible to password cracking but that seems mild compared to what cybersecurity firm Zimperium discovered. The researches discovered a vulnerability in Android that would allow a third-party to access everything on your phone and all they need is your phone number.
What’s even scarier is the hack can go completely unnoticed. Using someone’s phone number, a hacker can send a media file through MMS and as soon as the message is received, the malicious code would execute instantly. According to Zimperium, the flaw is present on approximately 95% of Android devices, running versions between 22 and 5.1.
Joshua Drake, security researcher with Zimperium, says “This happens even before the sound that you’ve received a message has even occurred,” so there’s no action needed from the user’s part. It’s definitely not like downloading an infected file or visiting a malicious website yourself.
Drake says, the code executes when the messaging app does the initial processing. And none of this is visible to the phone owner. The vulnerability is caused by Stagefright, a media library that processes media files. After the exploit is completed, the hacker can gain remote access to the phone’s files, emails, microphone, camera, personal credentials and anything else you might think of.
According to Drake, using the phone’s default messaging app is less dangerous, but just “a tiny bit”. In that case, you’d have to view the text message for the attachment containing the malicious code to be processed. However, in neither situations, would you need to actually play the media. This specific malware relies on Stagefright to be processed and doesn’t need the user to take any kind of action. The researcher found the flaw by himself, while working in his lab and doesn’t think there are any hackers out there that are using it….for now.
Drake has been collaborating with Google this spring, and he even sent them the patches needed to fix the bugs, which the tech giant accepted and implemented them right away. But this doesn’t mean the fixes will reach everyone’s Android phones. The patches must first go through manufacturers, and carriers. This takes time, and older devices may not even receive the fix. There’s not much you can do right now, besides making sure your phone is up to date.
UPDATE: A bit of digging into the settings of messaging apps and it turns out….there is something you can do to protect your phone from getting hacked via MMS.
Google released an official statement to VentureBeat, in order to express their gratitude to Joshua Drake, the researcher who found the Stagefright exploit. Here’s the full comment:
“The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device. Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Npr.org has reached out to prominent smartphone manufacturers and mobile carriers to see what actions they plan to take in order to fix the bug. So far, Silent Circle stated Blackphone already received the fix, HTC has started to roll out the patches in early July and T-Mobile says they rely on manufacturers to release security updates, but they are “working with them” regarding deployment.
Feel free to visit our News section to stay up to date on everything apps and games. Don’t forget to follow us on Facebook, Twitter, Pinterest, Flipboard and Google+ to receive our latest mobile how tos, and apps & games reviews for Android, iOS and Windows Phone !