Bad News: Security Hole Can Let An Attacker Take Over Your Android Phone With A Single Text

It’s a bad news Monday for up to 950 million — yes, that’s almost 1 billion — Android device owners worldwide. A vulnerability that would let a hacker take over your phone remotely has been announced, and it’s a doozy.

The damage travels by text, Forbes reports, and takes advantage of a weakness in a piece of code called Stagefright.

Stagefright is a tool Android uses to play back media — any text you get that’s an MMS (as opposed to an SMS) is played back to you using Stagefright. Any app that can read your text messages sits on top of that code, from Google Hangouts to your pre-installed default “Messaging” program.

Joshua Drake, the security researcher who discovered the flaw, told Forbes that the only thing a hacker would need to send out exploitations would be phone numbers. Attackers could then send messages to those numbers with bad code packaged in that would allow them to access the receiving device and steal data.

The level of access attackers would gain would allow access to files stored on SD cards as well as on the phone memory. Attackers could also turn your phone into a bug, remotely recording audio and video without your knowledge. Bluetooth access is also hackable via Stagefright. All versions of Android from 2.2 and up are considered vulnerable.

If that sounds terrifying, well, it kind of is. And then it gets worse. The exploit isn’t like a virus-laden e-mail attachment; you don’t actually have to try to view the media in order to be affected. Merely looking at the message in some apps is enough.

And then there are the apps where you don’t even have to open the message: for folks who use Google Hangouts to read their texts, Hangouts would open and access the exploit code “immediately before you even look at your phone… before you even get the notification,” Drake told Forbes, adding that it’s possible then to delete the message before the user even receives an alert, making the attack completely silent.

The good news is, after Drake reported his findings, Google has verified and corrected seven security holes. But here’s the bad news: Google doesn’t update Android phones directly. Service providers do. So Verizon, Sprint, T-Mobile, AT&T, and other, smaller carriers all have to push patches to their own Android customers… and they are not known for doing so quickly.

Drake will be speaking about his process for discovering vulnerabilities in Android at the Black Hat InfoSec conference in Las Vegas next week.

Stagefright: It Only Takes One Text To Hack 950 Million Android Phones [Forbes]