Vicious Texting Exploit Turns 95% Of Android Devices Into Leak-Happy Zombies
Is your phone recording your voice right now? If you have an Android smartphone, you shouldn’t be so sure that it isn’t, given a discovery by a researcher from mobile security firm Zimperium. The San Francisco-based company claims to have uncovered a method for attacking phones, known as Stagefright, which gives a hacker complete access to a smartphone running Google’s operating system – all without the user knowing. There hasn't been any indication that malicious parties have attempted to use the attack... yet.
The seriousness of the threat lies in the way it infiltrates your phone, according to Zimperium researcher Joshua Drake. The attacker hides the malware in a video and texts it to your phone. Look at the text, and your phone is potentially open to the hacker. According to Drake, you don’t even need to watch the video to trigger the malware; viewing the text could be all it takes to turn your phone into a zombie.
And that’s assuming that your phone is using a default messaging app. If your mobile phone is running Google’s Hangouts app, Drake asserts, you wouldn’t need to view the text for the malware to access your phone. That’s because the app will automatically process the video when it arrives. If the attacker has your phone number and your phone is one of the 95 percent of Android devices that are vulnerable to the attack (as estimate by Zimperium), your phone could become compromised.
Google is aware of the situation and has already worked with Zimperium to get patches out to device makers and carriers, but here’s where patching the phones gets tricky. It’s up to them (and not Google) to implement the patches, which means patching your phone is out of Google’s control. If your carrier or device maker takes the threat seriously, your phone may already be patched or could be patched soon.
As scary as Stagefright sounds, the outgoing patches should resolve the problem. And, as Google points out, Android is already designed with certain protections for user data. If you haven’t already, make sure you phone’s software is up to date.
The seriousness of the threat lies in the way it infiltrates your phone, according to Zimperium researcher Joshua Drake. The attacker hides the malware in a video and texts it to your phone. Look at the text, and your phone is potentially open to the hacker. According to Drake, you don’t even need to watch the video to trigger the malware; viewing the text could be all it takes to turn your phone into a zombie.
And that’s assuming that your phone is using a default messaging app. If your mobile phone is running Google’s Hangouts app, Drake asserts, you wouldn’t need to view the text for the malware to access your phone. That’s because the app will automatically process the video when it arrives. If the attacker has your phone number and your phone is one of the 95 percent of Android devices that are vulnerable to the attack (as estimate by Zimperium), your phone could become compromised.
Google is aware of the situation and has already worked with Zimperium to get patches out to device makers and carriers, but here’s where patching the phones gets tricky. It’s up to them (and not Google) to implement the patches, which means patching your phone is out of Google’s control. If your carrier or device maker takes the threat seriously, your phone may already be patched or could be patched soon.
As scary as Stagefright sounds, the outgoing patches should resolve the problem. And, as Google points out, Android is already designed with certain protections for user data. If you haven’t already, make sure you phone’s software is up to date.
