A shocking flaw in Android devices that can enable easy hacking has been discovered recently, and your Android phone is most probably vulnerable now.
According to technology news website CNET, a simple multimedia message to a vulnerable Android phone is all it takes for hackers to pry out personal data from an unaware Android device user. And while Android’s owner, Google, has developed a fix for that, it may take a while before some manufacturers send out this fix to users of their devices.
The Android flaw affects over 900 million Android devices with Android versions 2.2 and higher.
Joshua Drake, vice president of platform research and exploitation at Zimperium zLabs, spoke to Forbes magazine about this shocking flaw.
“All devices should be assumed to be vulnerable,” he said, underlining the importance of resolving this Android flaw as soon as possible.
The flaw exists in Android’s media tool, called Stagefright. Hackers only need to have a victim’s Android mobile phone number to send a “remote code execution” bug that exploits Android’s Stagefright flaw. The Android hacking code would be written into a seemingly innocent multimedia message that gets sent to the phone. While the hacker would then be able to snoop around areas of the phone that Android Stagefright’s security permissions allow, a hacker would still be able to access stored photos and videos (including those stored in an attached SD card), record audio and videos, and access the Android device’s Bluetooth.
Still not shocked?
In some cases – depending on the messaging application on your Android phone — you would not even have to open the message for the hacker to gain access. According to Joshua Drake, a message in your Google Hangouts app on your Android device with the malicious code scripted into it would “trigger immediately before you even look at your phone” and “before you even get the notification.”
So, you really wouldn’t know your Android device was hacked, because you would not even be prompted to open the multimedia in the message to trigger it.
“The scariest part is that a Stagefright attack does not require any action by the victim, meaning the flaw can be exploited remotely while a device owner is asleep,” Business Insider quoted Drake as saying.
A Google spokesperson spoke to Business Insider and confirmed the Android Stagefright flaw.
“We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.”
How worried are you about your phone’s security after this major Android flaw has been revealed?
[Photo by Robert Bumahn]