As many as 950 million Android devices might be vulnerable to a hack so simple that it only requires a text message.
In some cases, the recipient need not even open the text message for the device to be compromised, according to security researcher Joshua Drake, who first reported the exploit in April. His company, Zimperium zLabs, has labeled it “the worst Android vulnerability in the mobile OS history.”
Zimperium will provide full disclosure of the exploit at the Blackhat and DEF CON hacking conferences next month in Las Vegas. “If you ever heard about Heartbleed, this is much worse,” the company says.
This “unicorn” of smartphone security flaws exists thanks to an Android media playback tool called Stagefright—the vulnerability is likewise called “Stagefright,” and yes, it has its own logo:
Drake, co-author of the Android Hacker’s Handbook, tells Forbes that a malicious hacker could write code to or steal data from Android devices by sending a multimedia message (MMS) which would gain them access to the Stagefright tool. From that point, the attacker could record audio and video and view stored media files. The target phone’s Bluetooth is also vulnerable to Stagefright, Drake reports.
Through the exploit, a hacker would gain full access to whatever permissions are granted to Stagefright’s code. On a few older devices, including the Samsung S4 and LG Optimus Elite, the exploit would give the hackers system-level privileges. The exploits, Drake said, are easy to find and quite a few are already public.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger,” Drake told Forbes. “That one does not trigger automatically but if you [look] at the MMS, it triggers—you don’t have to try to play the media or anything, you just have to look at it.”
According to Google, many new phones running Android have technologies in place “designed to make the exploitation more difficult.” The company cited as one example the Application Sandbox, which isolates app data and code execution from other apps.