Security company Heimdal Security has discovered that hackers are randomly sending malicious text messages to Android device owners. If the user clicks on the link, the program is downloaded, allowing it to gain administrator rights to the device, the report claims.
Once the payload, known as Mazar BOT, has been unleashed, the hackers can do everything from access the Internet to send text messages. Perhaps most concerning, however, is that they can also fully erase the infected handset, Heimdal says.
Could Your Android Phone Be Hacked With a Text?
Discovered by Zimperium researcher Joshua Drake, the vulnerabilities are hidden in an Android media library known as Stagefright. “Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java,” Drake wrote.
About 95 percent of Android devices, or about 950 million smartphones, are vulnerable, Drake said.
The firm found multiple ways to execute the bug, “the worst of which requires no user-interaction.” All it takes is a 10-digit phone number and an MMS message; some hackers could even delete the message before a user sees it.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the Zimperium team wrote in a blog post.
No need to open a file or click on a link; the attack could come while you’re sleeping, blissfully unaware that private photos, contact details, bank information, and favorite websites are being accessed. If the timing is right, you’ll wake up none the wiser, carrying on with a trojaned phone.
“If ‘Heartbleed’ from the PC era sends [a] chill down your spine, this is much worse,” the security firm said.
Most smartphones running Android 2.2 and later are vulnerable, though those operating versions prior to Jelly Bean (which accounts for about 11 percent) are at the highest risk.
Zimperium already reported the vulnerability to Google, and submitted its own patches, which the Web giant applies to internal code branches within 48 hours. But a full fix requires an over-the-air firmware update, which could take a while given the state of Android fragmentation. It may not even reach devices older than 18 months.
“We hope that members of the Android ecosystem will recognize the severity of these issues and take immediate action,” the company wrote.
Make it harder for your device to be exploited
Don’t go into complete fear mode after reading this article. What you should do instead is be proactive.
First, download the Stagefright Detector app and run it on your device. It will tell you if you’re susceptible to attack and even adjust your settings to give you some interim protection.
Second, you should disable auto-fetching of MMS for any messaging apps you use. Outlook.com has a step-by-step guide with screenshots for Hangouts and Messenger, among others.
Even more information will be made available by Drake, who deserves much credit for his work in finding and fixing the issues from his extraordinary phone lab containing a “Droid Army”, when he explains his findings in full at the Black Hat and Defcon security events.
We’ll continue to keep this page updated with new info as it becomes available!