Android is the most popular mobile operating system in the Universe: More than 80 percent of smartphones run on it. According to mobile security experts at Zimperium, there’s a gaping hole within the software program — one that might let hackers break into somebody’s cellphone and take over, just by sending a text. According to the BBC, this exploit could affect more than a billion phones world wide.
Just An MMS?
In this attack, the target would not need to open an attachment or download a file that is corrupt. The malicious code would take over immediately, the second you receive a text from the hacker or a compromised system.
“This happens even before the sound that you’ve received a message has even occurred,” says Joshua Drake, safety researcher with Zimperium and co-writer of Android Hacker’s Handbook. “That’s what makes it so dangerous. It might be absolutely silent. You may not even see anything.”
Here’s how the exploit would work: The ‘bad person’ creates a short video, hides the malware inside it and texts it to your number. As soon as the message is received by the cellphone, Drake says, “it does its initial processing, which triggers the vulnerability.”
The messaging app Hangouts immediately processes videos, to keep them ready in the smart phone’s gallery. That means the consumer does not have to waste time looking. But, according to Drake, this invites the malware right in.
If you are utilizing the telephone’s default messaging app, he explains, it is “a tiny bit less harmful.” You would have to view the textual contents before it processes the attachment. But, to be clear, “it doesn’t require in either case for the targeted person to need to play back the media at all,” Drake says.
Once the attackers get in, Drake says, they’d have the ability to do anything — copy or transmit the data, delete it, take over your microphone and camera to watch each and every word and move. “It’s really up to their imagination what they do as soon as they get in,” he says.
According to Zimperium, this set of vulnerabilities impacts nearly every Android cellphone in use. Drake says he found it in his lab, and he doesn’t believe that hackers are currently exploiting it — at least not yet.
In correspondence in April and May, he shared his findings with Google, which makes the Android operating system. He even sent along patches to fix the bugs.
“Basically, within forty eight hours I had an e-mail telling me that they’d accepted all the patches I sent which was nice,” he says. “You know, that is an excellent feeling.”
Adrian Ludwig, the lead engineer for Android safety at Google, stated that they’ve notified partners and already dispatched a fix to the smartphone makers that use Android.
Whether it gets to the people’s smart phones isn’t in Google’s hands.
According to security firm F-Secure, 99 percent of mobile malware threats in the first quarter of 2014 had been designed to run on Android devices.
Android phones are very completely different from iPhones, for instance. Apple runs a closed system: It controls the hardware and software, the iOS, and it is simple to ship out a major revamp. The firm says 85% of iPhone customers have the latest operating system.
Android Central, a famous blog, has described the challenge of updating the operating system as an “impossible problem.” Earlier this year, an exploit discovered in the Android Web-browsing app was left largely un-patched too.
Updated 5:21 p.m. 27 July: Google Issues Statement + response from companies
Google has said:
“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
“Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required repair.”
“We patched ‘Blackphone’ weeks in the past!”
Other manufacturers have yet to respond. We will update the page as soon as we get a response from them.
Update: Thanks to reddit user Patchsalts for correcting us. It should have been MMS instead of SMS