Could Your Android Phone Be Hacked With a Text?
Could Your Android Phone Be Hacked With a Text?
Is your Android phone under attack? Researchers have discovered a bug in Google’s mobile operating system that can give hackers access to people’s phones just by sending a text.
According to mobile security firm Zimperium, attackers need only know your phone number.
Discovered by Zimperium researcher Joshua Drake, the vulnerabilities are hidden in an Android media library known as Stagefright. “Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java,” Drake wrote.
About 95 percent of Android devices, or about 950 million smartphones, are vulnerable, Drake said.
The firm found multiple ways to execute the bug, “the worst of which requires no user-interaction.” All it takes is a 10-digit phone number and an MMS message; some hackers could even delete the message before a user sees it.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the Zimperium team wrote in a blog post.
No need to open a file or click on a link; the attack could come while you’re sleeping, blissfully unaware that private photos, contact details, bank information, and favorite websites are being accessed. If the timing is right, you’ll wake up none the wiser, carrying on with a trojaned phone.
“If ‘Heartbleed’ from the PC era sends [a] chill down your spine, this is much worse,” the security firm said.
Most smartphones running Android 2.2 and later are vulnerable, though those operating versions prior to Jelly Bean (which accounts for about 11 percent) are at the highest risk.
Zimperium already reported the vulnerability to Google, and submitted its own patches, which the Web giant applies to internal code branches within 48 hours. But a full fix requires an over-the-air firmware update, which could take a while given the state of Android fragmentation. It may not even reach devices older than 18 months.
“We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action,” the company wrote.
Some folks are, however, are protected: owners of SilentCircle’s BlackPhone, as well as users of Mozilla’s Firefox, which has included fixes since version 38.
Drake will present his research at next month’s Black Hat USA and DEF CON 23 events.
malikmuddser