Security researchers have discovered a vulnerability in Android’s software that puts about 950 million Android phones at risk of being exploited via test message.
A hacker can use the malware, which has been dubbed Stagefright, to infect a person’s Android phone by simply sending a message to their phone, according to the security firm Zimperium Mobile Security, which is the company that discovered the flaw.
The vulnerability affects Android devices running version 2.2 and later, which means practically all of the Android devices in use today are vulnerable. But devices running versions before Jelly Bean, which is about 11 per cent of all Android devices, are most at risk, the company said on its website.
All the hacker needs is the person’s phone number. Once infected the hacker can basically take over their target’s phone.
One way hackers commonly spread malware is by spear-phishing. Spear-phishing is when a hackers sends out malicious link or attachment posing to be legitimate. By clicking the link or opening the attachment a person can be infected.
But Stagefright is different because it doesn’t always require any action by the Android user. Even if a user doesn’t open the text message, they can still be exploited by just receiving the message if the hacker uses a specific remote code execution method.
“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponised successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the security firm said on its website.
Zimperium notified Google of it’s findings and the company applied a security branch to internal code within 48 hours, but that doesn’t mean it will reach all users.
In a statement to The Telegraph, Google said it did not know of any Android users who were affected by the vulnerability:
This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.
But because the latest version of Google’s Android is provided to manufacturers who in turn sell the devices to consumers, these patches have to be distributed by the manufacturers and sometimes take time to reach consumers. And even once a manufacturer distributes a patch, the consumer can always reject the update.
Tech Insider reached out to Google for more information and will update this story if the company responds.
Business Insider Emails & Alerts
Site highlights each day to your inbox.