This morning, Forbes relayed a potential serious security flaw in Android, first discovered by Zimperium zLabs, that could affect your phone. The flaw is found in Android’s Stagefright, a multimedia tool at a deep system level. According to this research, a simple MMS (multimedia text) sent to your phone could open up your phone to audio/video recording, but also give a hacker access to your photos or Bluetooth. In order to gain that kind of access, they may only need to know your phone number. Zimperium zLabs suggests that some 950 million Android devices are in danger of this bug. Yep, this security bug is actually a pretty big deal.
They sent several vulnerabilities related to this to Google months ago and Google has already confirmed them and added patches to Android (7 in total to date). The problem is, we don’t know which devices have been patched or not. For one, Google hasn’t even confirmed that its own Nexus devices are patched, so you can imagine (and probably assume) that your Samsung, Motorola, LG, HTC, etc. non-Nexus phone isn’t patched either.
As I mentioned, the vulnerabilities exist in Stagefright and can be accessed by a simple MMS to you or I. That MMS may not even need to be opened in order to do its damage. Some apps, like Hangouts, pre-load (if you will) MMS messages to make them quickly accessible to you, which then allows these vulnerabilities to be exploited without you even knowing. In other situations, if you opened a bad MMS, you would trigger it.
Forbes reached out to all of the major manufacturers and none have commented on the status of their phones. Again, assume they haven’t patched anything.
So what does this mean for you? I wish I had solid advice, but this is one of those situations where a bad MMS could potentially get a hold of information on your phone until it receives a patch. Zimperium zLabs hasn’t posted the full details on this exploit (they may never) and claims to be the only ones who know exactly how it works, if that gives you any sense of peace. Of course, they plan to talk more about it at this year’s Blackhat and DEFCON conferences in Vegas in a couple of weeks.
We’ll share new info as we have it.