Twin Design /

Frightening details have been released of a serious vulnerability on Google’s Android OS. All a hacker needs to take over an Android phone is to send you one message – and you don’t even need to open it.

Android is currently the most popular mobile operating system in the world, with double the market share of Apple – meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer are at risk.


The dangerous vulnerability allows an attacker to send a media file over a MMS message which targets the device’s media playback engine, Stagefright, which is responsible for processing several popular media formats – for things like photos or videos. Attackers can steal data from infected phones, as well as hijacking the microphone and camera.

Scariest of all, mobile security experts Zimperium report that “A fully weaponized successful attack could even delete the message before you see it. You will only see the notification…Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” Hackers would be able to delete the offending message – leaving you unaware that your security had been compromised.

What can you do?

Security software and hardware vendor Sophos report that Google has already prepared patches for the bug, and that Google Nexus users are probably “already safe”. Unfortunately, they go on to say “we can’t be sure which other device vendors have already patched, unless they choose to say so, because Zimperium is keeping the exploits under wraps” until the Black Hat USA conference on August 5.

Fortunately, one of the first steps to protect your phone is to disable auto-download of MMS messages, found in the SMS settings. This should be done in your phone’s messaging app, and through Google Hangouts. However, this will not stop infection if you click a link through to a malicious file and Android users should consider blocking all messages from unknown senders.

When is your update coming?

Sophos also recommend asking your device vendor whether a patch is available already – and if it isn’t, finding out when to expect it. Meanwhile, NPR report that while Google gives its latest version of the Android OS to the manufacturers of smartphones and tablets, it’s up to the manufacturers to “tweak it as they please” – meaning they don’t all update at the same time. While Silent Circle report their Blackphone was patched “weeks ago” other manufacturers are still to release updates.