Skip to main content

A hacker can take over your Android device with just a text message

There's a new vulnerability in Android which allows an attacker to take control of a device by simply sending a message, NPR (opens in new tab) has reported.

The worst part is – for the majority of users there’s no fix yet.

The weakness is found in Stagefright, a part of Android OS which processes media content on phones and tablets. A maliciously crafted video can be used to deliver a program which will run on the phone as soon as it is processed by Stagefright. And by “processed” I don’t mean viewed. The video doesn’t even need to be played for the hack to work.

With Android’s default messaging app, all the user has to do is view the message to trigger the Stagefright vulnerability, he doesn’t have to play the video. The same thing is with Hangouts – it automatically pre-processes videos when they’re received to cut down the delay if the user wants to watch them straight away.

That means if an attacker sends an MMS, it can take over the phone “before the sound that you’ve received a message has even occurred,” NPR says.

The flaw was first discovered by researcher Joshua Drake, and it allows an attacker to do anything from read and delete data to spy on the owner through their camera and microphone.

Chris Wysopal, the chief information security officer for app security specialists Veracode, called the flaw “Heartbleed for mobile”, referring to the widespread bug that put hundreds of thousands of websites at risk of hacking in April 2014.

In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.

“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

Google says those using a newer version of Android should be safe, but the Stagefright bug – which affects the Android operating system all the way back to 2010’s version 2.2 – may never be fixed for a huge number of phones still in use.

Industry reaction

Jeremiah Grossman, Founder and CTO of WhiteHat Security (opens in new tab):

"The way this particular vulnerability will play out is going to be very interesting. The Stagefright vulnerability has all the potential to create a fast spreading worm, which the Infosecurity industry hasn’t seen in quite a while - even on desktops. And I don’t know of any worms that have ever hit a mobile platform.

"Additionally, it’ll also be interesting to watch the patch deployment statistics. What’s challenging here is that each Android handset manufacturer has to deploy their own patch, even though Google has already updated the main Android codebase to fix the issue. Many Android handset manufactures don’t have the best reputation for making the latest and greatest security patches available …quickly or ever. So, odds are, there are going to be a lot of vulnerable Android phones for quite some time.

"I wonder if the network providers could offer some security assistance by blocking malicious texts like this."

Steve Pao, General Manager of Security at Barracuda Networks (opens in new tab):

“The potential risk is reasonably large. This is because of the complexity of the Android update ecosystem that is dependent on not only Google, but handset manufacturers and carriers. Because of the ability to do remote code execution off the downloading of an MMS message, the potential impact could be quite serious and spread beyond the individual to the organisation. This would enable a device to access confidential data.

"Organisations need to continue to use mobile device management solutions as well as ensuring good network access control policies are implemented.”

Image source: Shutterstock/ (opens in new tab)Palto (opens in new tab)

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.