One text message could leave 95 percent of Android phones vulnerable to an attack. Android is the most popular mobile operating system on Earth with about 80 percent of smartphones running on it. In this attack (being dubbed as the “Stagefright”), the user would not be the weakest link, as is the case in most hacks. Through a simple text, the malicious code would take over the instant you receive the text message.
“This happens even before the sound that you’ve received a message has even occurred,” says Joshua Drake, a security researcher with Zimperim and co-author of Android Hacker’s Handbook. “That’s what makes it so dangerous. (It) could be absolutely silent. You may not even see anything.”
How does this attack work? The hacker creates a short video, hides the malware inside and texts it to your number. As soon as it’s received by the phone, it does its initial processing, which triggers the vulnerability. Once the attackers get in, they would be able to do anything – copy data, delete it, take over your microphone and camera to monitor your every word and move.
Drake has developed and published a scary exploit that uses a specially crafted text message using the multimedia message (MMS) format. He will present his full findings, including six additional attack techniques to exploit the vulnerability, at Black Hat Security Conference in Las Vegas on August 5 and DEF CON 23 on August 7, where he is scheduled to deliver a talk titled, Stagefright: Scary Code in the Heart of Android. Almost all Android devices containing Stagefright are in question. According to Drake, all versions of Android devices after and including version 2.2 of the operating system are vulnerable.
Can We Expect A Fix?
It is up to each device manufacturer to patch the devices against the Stagefright attack. Google, who operates Android, has patched the code and sent it to device manufacturers. However, devices require over-the-air updates from companies such as Samsung or Motorola to update their customers’ phones. Smartphone manufacturers and wireless carriers have responded to the attack since it has been brought to their attention:
HTC: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
Samsung: “Google notified us about the issue, and we are working to roll out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link.”
T-Mobile: “These kinds of security fixes are usually released by our third-party device partners, so we’re working with them to ensure those security updates have been deployed.”
While some of us, including myself, get sick of updating our phones every month because it can take quite a while to download or it takes up a lot of our storage; we HIGHLY encourage you to update your Android device as soon as possible. Not having the correct update on your phone could be catastrophic to the data and your individual privacy.
