Most Android phones at risk from simple text hack, researcher says

Last year, more than 1 billion Android devices shipped around the globe. Security firm Zimperium says this vulnerability could affect 95 percent of them.

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
4 min read

Stagefright is the subject of a new vulnerability that could wreak havoc on an Android device. Zimperium

A security research company claims to have found a vulnerability baked into Android that could endanger nearly all devices running the popular mobile software.

The flaw, says researcher Zimperium, exists in the media playback tool built into Android, called Stagefright. Malicious hackers could take advantage of it by sending to an Android device a simple text message that, once received by the smartphone, would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information.

So far, Zimperium told National Public Radio, the flaw has not been exploited, but in a blog post on its own website, it said that 95 percent of Android devices worldwide are vulnerable.

And that is potentially a lot of phones. In 2014, over 1 billion Android devices shipped worldwide, according to researcher Strategy Analytics, which expects the number to rise in 2015 and beyond. Zimperium called Stagefright the "mother of all Android vulnerabilities."

Google's Android software has been highly susceptible to security flaws for years, in part because of the open design that makes it popular as an alternative to Apple's iOS, the software that underlies the iPhone and iPad. In the first quarter, 99 percent of mobile malware targeted Android devices, according to security firm F-Secure.

And fixes to Android can take time to get to people's smartphones as those updates ripple through various phone makers and wireless service providers.

Zimperium said it discovered the issue in April and promptly informed Google.

A Google spokeswoman said that those intermediaries are armed with the patches they need to safeguard devices, though she did not offer specifics on which were ready to push those changes through, or when that might happen.

"The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," the Google spokeswoman said. "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."

How the vulnerability gets exploited

The malware that would exploit the Android vulnerability hides inside a short video sent to a person's phone number, according to NPR, which reported on the bug Monday. As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control.

Exactly when the device might be exploited depends on the messaging platform a person employs. Those using the standard Messenger app built into Android would need to open the text message (but not necessarily watch the video) to fall victim to the trap. Those who are running Google's Hangouts app to handle text messaging, however, need not even open the application, according to Zimperium. As soon as Hangouts receives the text, it processes the video and the hacker is in. (The Google's Play app marketplace says Hangouts has been downloaded between 1 billion and 5 billion times.)

To compound the threat to Android devices, Google is largely powerless when it comes to actually getting patches to users. Phone makers including Samsung, LG and Huawei, as well as wireless carriers, all have control over how updates are sent to products.

Once Android is bundled into a product, it's typically been modified by those third parties. When security updates are required, Google can only send out a patch and after that, it's up to the phone maker or carrier to push those updates to phones.

Acknowledging that Android has become a destination for malware, Google in June announced a rewards program that pays researchers cash for finding bugs and holes that may be exploited in the operating system. Google has offered similar rewards programs to researchers for years with great effect. The company has doled out rewards to researchers who find flaws or security vulnerabilities in its Chrome browser and other software. In 2013, one security expert going by the name Pinkie Pie earned $50,000 for finding a particularly nasty bug in Chrome. Last year alone, Google paid out over $1.5 million to security researchers finding flaws in Chrome and other Google products. In total, the company has paid out $4 million since its bug bounties started in 2010.

Zimperium, which sent a patch to Google that the Android maker has accepted, told NPR that he estimates only 20 percent to 50 percent of Android devices currently in the wild will actually get the updates due to vendors being slow to react -- if they react at all.

While Zimperium says the risks are high for Stagefright to be exploited, and it's possible that malicious hackers will soon take advantage of the flaw, Android device owners have been dodging at least some malware. In April, Google issued a report claiming that malware installs on Android devices fell by 50 percent in 2014. By the end of the year, Google said that fewer than 1 percent of all Android devices had "potentially harmful applications" installed on them.

According to Zimperium's blog, it will show exactly how Stagefright works and can be exploited at the Black Hat hacker conference in Las Vegas, which starts August 1.

Zimperium did not immediately respond to a request for comment.