Mobile security researchers at Zimperium say that they have discovered the “worst Android vulnerability in the mobile OS history” – and it can infect your smartphone simply by receiving an MMS message. Unlike most malware, it is not necessary to open the message in order for your phone to be compromised, reports NPR.
“This happens even before the sound that you’ve received a message has even occurred,” says Joshua Drake, security researcher with Zimperium and co-author of Android Hacker’s Handbook. “That’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”
Once the MMS has been received, it activates code which gives the attacker complete control of your Android device – everything from copying data to taking over the microphone and camera …
Google’s lead engineer for Android Security Adrian Ludwig confirmed that it has rated the severity of the vulnerability as “high,” defined as allowing “remote unprivileged code execution (execution at a privilege level that third-party apps can obtain through installation)” and giving the code “local access to system/signature-level permission data or capabilities without permission.”
The attack mechanism exploits a Google Hangouts feature designed to streamline the experience of viewing video.
The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it’s received by the phone, Drake says, “it does its initial processing, which triggers the vulnerability.”
The messaging app Hangouts instantly processes videos, to keep them ready in the phone’s gallery. That way the user doesn’t have to waste time looking. But, Drake says, this setup invites the malware right in.
If you instead use the default Messaging app, it won’t auto-run on receipt, but will still run as soon as the message is displayed.
There are two pieces of good news. First, says Drake, there’s no evidence that the vulnerability is yet being exploited in the wild. Second, Drake supplied full details to Google – together with patches to close the security hole – and the company says that it has accepted them.
The bad news is that even when Google issues the patches, they are likely to reach only 20-50% of existing devices. Google cannot update most devices automatically, relying on manufacturers and carriers to issue the fix. Collin Mulliner, senior research scientist at Northeastern University, says that many choose not to.
If you can save money by not producing updates, you’re not going to do that.
There’s nothing an end user can do to protect against the issue, but it underlines the wisdom of accepting Android updates as soon as they are offered by your manufacturer or carrier.