The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher has found.
The scary exploit, which only requires knowing the victim's phone number, was developed by Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium.
Drake found multiple vulnerabilities in a core Android component called Stagefright that's used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.
There are many potential attack vectors because whenever the Android OS receives media content from any source it will run it through this framework, Drake said.
The library is not used just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information.
This means that users don't necessarily have to execute malicious multimedia files in order for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.
The researcher isn't sure how many applications rely on Stagefright, but he believes that just about any app that handles media files on Android uses the component in one way or another.
The MMS attack vector is the scariest of all because it doesn't require any interaction from the user; the phone just needs to receive a malicious message.
For example, the attacker could send the malicious MMS when the victim is sleeping and the phone's ringer is silenced, Drake said. After exploitation the message can be deleted, so the victim will never even know that his phone was hacked, he said.
The researcher didn't just find the vulnerabilities, but actually created the necessary patches and shared them with Google in April and early May. The company took the issues very seriously and applied the patches to its internal Android code base within 48 hours, he said.
That code gets shared in advance with device manufacturers that are in the Android partnership program, before it's released publicly as part of the Android Open Source Project (AOSP).
Unfortunately, due to the generally slow pace of Android updates, over 95 percent of Android devices are still affected, Drake estimates.
Even among Google's Nexus line of devices, which typically get patches faster than those from other manufacturers, only the Nexus 6 has received some of the fixes so far, the researcher said.
Sign up for CIO Asia eNewsletters.