Security expert Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium has developed an exploit which can hack virtually any Android phone out there just by sending a slightly modified multimedia message (MMS).
According to Drake, for the exploit to work you only to know the victim’s phone number. The vulnerabilities were found in a core Android component called Stagefright, responsible for playing and recording. Once a MMS is received it would download video with embedded multimedia content on its own from the web, thus allowing for remote code execution.
Thus, in many situations, the receiver doesn’t have to do anything for the hack to take place. The stock Messenger app won’t do anything until you see the message, but apps such as Hangouts usually pre-process media attachments which could trigger the exploit. While the security researcher isn’t sure how many apps use Stagefright, he assumes that any app that handles media files is linked somewhat to the framework.
What makes this exploit particularly dangerous is that no interaction is required from the user for it to activate itself. As Drake has pointed out, you could received malicious MMS when you’re asleep and your phone is on silent mode; and when you wake up, even if you delete the message, there’s a high risk that your device has already been infested.
But it seems that Google is already working hard behind the curtains to fix the loopholes, mainly thanks to the research who created the necessary patches and shared them with Google. The Android maker has already pushed out a fix to its hardware partners but it depend on your phone’s manufacturer as to when you’ll receive it, as well.
Drake estimates that over 95 percent of Android devices are still affected, and that’s because of the slow rollout of Android updates. If the attackers manage to exploit the vulnerabilities they could get access to the microphone, camera and the external storage partition, but won’t be able to install applications or access their internal data. But Drake estimates that on around 50 percent of the affected devices the framework runs with system privileges, which means malevolent parties could allegedly gain root access and therefore complete control of the device.