Android users beware: A security researcher is warning about a dangerous new vulnerability called Stagefright present in most versions of the mobile operating system (Android 2.2 and later). A hacker could use the flaw to steal data from your phone, spy on your conversations and potentially install other malware programs. An estimated 950 million Android phones – as many as 95% of all Android devices currently in use – could be affected.
According to Joshua Drake, the white hat researcher from Zimperium zLabs who discovered the problem, the security hole lies in the Stagefright media playback program in Android. It leaves devices vulnerable to attack via multimedia messaging (MMS) apps like Messenger and Google Hangouts. In Google Hangouts, Drake notes, MMS attacks “trigger immediately before you even look at your phone, before you even get the notification.” If a hacker knows your phone number, he could compromise your device simply by sending you a message.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus where the default MMS is the messaging application Messenger. That one does not trigger automatically but if you look at the MMS, it triggers, you don’t have to play the media or anything, you just have to look at it,” Drake told Forbes. A hacker could even delete the message after its malware payload has been delivered, erasing the evidence that your phone has been compromised.
Drake first notified Google of the Stagefright vulnerability on April 9, and sent the company software patches to fix the problem. He has since reported and offered patches for six more vulnerabilities. Google has accepted the patches, but it could take another month or two for all of them to make their way to your phone. Even Google’s own Nexus 6 with up-to-date firmware is only protected against some of the vulnerabilities (as of this writing).
Thankfully, there are no known instances of this vulnerability being exploited. That said, it’s impossible to stay 100% protected from attack until your device is patched. Make sure you install software updates for your Android phones and tablets as soon as they’re available. You might want to stay away from using Google Hangouts for messaging in the meantime. You should also ignore unexpected messages from unknown sources.
[Image credit: Zimperium]
