Talk about scary. A security researcher at Zimpirium has uncovered a major vulnerability in Android that would allow a no-gooder to take control of your phone by simply sending you an MMS video message.
For apps such as Hangouts, the vulnerability completely bypasses the need for user input because Hangouts automatically “opens” your video when it comes in to buffer it up for fast playback, meaning you won’t even need to so much as click a link or press play for your phone to be exposed.
Other messaging apps which don’t touch the video until you press play might be at less of a risk, but it’s still something to be wary about. It’s also worth noting the vulnerability affects a long line of Android versions, from 2.2 Froyo all the way up to the current Android 5.1 Lollipop.
So what could a hacker do if they happen to be able to use this exploit? One could go as far as taking complete control of your phone, installing spyware or malware, and removing any evidence that they were up to no good.
That’s the bad news. The good news — if you can believe there is such a thing in this story — is as follows:
- The researcher has notified Google and even supplied a patch as early as April and May.
- Said patch has been accepted by Google, and has already been sent to OEMs for their next critical security patches.
- There doesn’t appear to be any known malware out there using the vulnerability, and unless a blackhat hacker happens to figure the vulnerability out it will probably never surface.
Google’s official response also seems to suggest that the patch can be applied to “any” phone:
The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
And that’s that. So what next? We’re going to need updates, and those will have to come from the OEMs and carriers responsible for the phones out in the world right now.
You’d think they’d want to make sure their customers have the most secure devices possible, but the sad reality is that there is little incentive for OEMs and carriers to keep older devices updated with the latest security patches, and Google actually can’t do much about that if the WebView vulnerability debacle is anything to go by. There’s a chance your phone could miss an update if your OEM has retired it from their list of supported devices, and that’s a real shame because this has the potential to be very dangerous.
Unfortunately that’s all the detail we’re going to get in the here and now, though the exploit is set to be discussed at a major security conference taking place next month, and we’ll be sure to bring you all the latest that comes out of it.
[Update]: Cyanogen, Inc. has already chimed in to let us know that fixes for Stagefright have been in nightly builds of CyanogenMod 12 and 12.1 for as many as two weeks now, with CyanogenMod 11 “out of band” (weekly) releases getting it as soon as this weekend.