Security researchers at Zimperium have some bad news for Android users out there who regularly send and receive multimedia messages. According to the researchers, a major security hole exists in the Android platform which could potentially allow malicious individuals to gain access to a device by simply sending a seemingly innocent text message to the targeted number. Android is currently the most popular mobile operating system on the planet, accounting for approximately 80% of smartphones in existence, so it isn’t difficult to understand why this is a serious cause for concern.
The ability to exploit the vulnerability within the Android platform is so serious that an attacker could take over the device from a remote location before the phone even has a chance to notify the user of an incoming text. According to Zimperium researcher Joshua Drake:
This happens even before the sound that you’ve received a message has even occurred. That’s what makes it so dangerous. It could be absolutely silent. You may not even see anything.
Drake, who is also the co-author of the Android Hacker’s Handbook, goes on to explain that the vulnerability can be exploited via a relatively simple piece of malware hidden inside of a purposely created, but seemingly innocent video sent via multimedia text. One of the primary concerns for Drake is the fact that the native Hangouts application instantly processes videos received by the device ensuring that the user experiences no wasted time when loading the video. Unfortunately for Android this method “invites the malware right in”.
Things aren’t as scary if you actually use the native Messages app within Android as this actually requires the user to open the app before the malware within the attachment can be processed and executed. With that said it is worth noting that neither case actually requires the embedded media to be manually opened and viewed. If this type of message is received and processed then it pretty much allows the attackers access to anything. They would be able to view the device camera, listen in on the microphone, and even copy and delete data from the device as they see fit.
Drake and his Zimperium team have already submitted patches to Google for fixing this vulnerability, which have been accepted and will likely filter through to new versions of Android. Whether or not the fix makes it through to your device in an acceptable time period is entirely dependent on the hardware manufacturer and when they roll out the updated version of Android for your particular device.
You may also like to check out: