Article Lead Image

Vernon Chan/Flickr (CC BY 2.0) | Remix by Jason Reed

New exploit means nearly any Android phone can be hacked with a single text

Security firm Zimperium will provide full disclosure at the upcoming Blackhat hacking conference.

Photo of Dell Cameron 

Dell Cameron

Tech

Posted on Jul 27, 2015   Updated on May 28, 2021, 7:02 am CDT

As many as 950 million Android devices might be vulnerable to a hack so simple that it only requires a text message.

In some cases, the recipient need not even open the text message for the device to be compromised, according to security researcher Joshua Drake, who first reported the exploit in April. His company, Zimperium zLabs, has labeled it “the worst Android vulnerability in the mobile OS history.”

Zimperium will provide full disclosure of the exploit at the Blackhat and DEF CON hacking conferences next month in Las Vegas. “If you ever heard about Heartbleed, this is much worse,” the company says.

This “unicorn” of smartphone security flaws exists thanks to an Android media playback tool called Stagefright—the vulnerability is likewise called “Stagefright,” and yes, it has its own logo:

Zimperium’s zLabs

Drake, co-author of the Android Hacker’s Handbook, tells Forbes that a malicious hacker could write code to or steal data from Android devices by sending a multimedia message (MMS) which would gain them access to the Stagefright tool. From that point, the attacker could record audio and video and view stored media files. The target phone’s Bluetooth is also vulnerable to Stagefright, Drake reports.

Through the exploit, a hacker would gain full access to whatever permissions are granted to Stagefright’s code. On a few older devices, including the Samsung S4 and LG Optimus Elite, the exploit would give the hackers system-level privileges. The exploits, Drake said, are easy to find and quite a few are already public.

“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus… where the default MMS is the messaging application Messenger,” Drake told Forbes. “That one does not trigger automatically but if you [look] at the MMS, it triggers—you don’t have to try to play the media or anything, you just have to look at it.”

According to Google, many new phones running Android have technologies in place “designed to make the exploitation more difficult.” The company cited as one example the Application Sandbox, which isolates app data and code execution from other apps. 

H/T Forbes | Photo by Vernon Chan/Flickr (CC BY 2.0) | Remix by Jason Reed

Share this article
*First Published: Jul 27, 2015, 12:48 pm CDT

Dell Cameron

Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.

Dell Cameron