INDIANAPOLIS (WISH, WSPA) — Cyber-security experts are calling a newly revealed Android flaw called Stage Fright “likely the biggest ever discovered.” The flaw could allow hackers to wipe your Android device or even secretly turn on the camera.
New research suggests nearly a billion Android phones are capable of being hacked simply by receiving a picture via text. It affects 95-percent of the Androids in use today and you don’t even have to open the message for the malware to download.
That’s because of the way Android phones analyze incoming text messages. Even before you open a text, the phone automatically processes incoming media files, including pictures, audio, and video. Once that happens, the bug allows hackers to take full control of all device functions, including access to apps, the camera, and even wiping the device clean.
The flaw was uncovered by the security firm Zimperium, which says it exists in the media playback tool built into Android called Stagefright. As CNET explains, malicious hackers could take advantage of it by sending a text message containing malware to an Android device; once received by the smartphone, it would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information.
“What they figured out how to do,” CNET’s Dan Ackerman told CBS News, “is send you a text message that includes a video file in it. Because very often you can get a text that has a photo or video in it. And in the code for that video file is a string of malicious code that will then activate. And the catch is, you don’t have to actually watch the video. Just receiving it is enough to give people, potentially, access to your Android phone.”
In a blog post on its website, Zimperium said 95 percent of Android devices worldwide are vulnerable. “The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers,” it warned.
But the company told National Public Radio that so far, the flaw has not been exploited by hackers. “That’s the good news,” Ackerman said.
In a statement to CNN, Google acknowledged the flaw. It assured that Android has ways of limiting a hacker’s access to separate apps and phone functions. Yet hackers have been able to overcome these limitations in the past.
Zimperium, the company that identified the flaw, says it told Google about it in April and even provided a fix. The company says Google responded the very next day, assuring a patch was on the way.
A 90-day grace period is typical for issues like this, but Zimperium says 110 days have now passed, so they’re going public with the issue.
Google told CNN that it has sent a fix to it’s partners, but it’s unclear the message is getting out to users.
The problem is Apple can instantly push out updates to all iPhones if an issue ever arises, but Google can’t do that. Google has to work with their phone carriers, like AT&T and Verizon, and the makers of the devices, like Samsung, in order to reach users.
Longtime hacker and cyber-security expert Chris Wysopal told CNN “I’m interested to see if Google comes up with a way to update devices remotely. Unless they can do that, we have a big disaster on our hands.”