All it takes is one MMS to hack your Android phone

By JC Torres/July 28, 2015 3:30 am EST

Computers are sometimes so fragile that it takes very little to crack them open to remote abuse. That said, in most cases, it usually takes some active action on the part of the user, like opening a file or clicking a link, to start the process. This new Android vulnerability, however, is frightening in the sense that the user doesn't need to do anything at all. Just by receiving a multimedia message, not even opening it, their Android smartphone can become a sitting duck against hackers and miscreants.

According to mobile security company Zimperium, the culprit here is a part of Android's own framework, an ominously named software library called Stagefright, tasked with processing multimedia files, like those in MMS. On MMS, Stagefright processes the files upon receiving it, even before the user opens it. Zimperium blames Stagefright's vulnerability to the fact that it's written in C++, a "near the metal" programming language that is more prone to memory corruption, and therefore security exploits, than Android's native Java language.

The good news: Zimperium reported this vulnerability long ago to Google and even provided suggested patches to plug the whole. To its credit, Google acted swiftly and accepted the patches.

The bad news: the fix isn't arriving yet. One ugly part of Android's open nature is that Google doesn't have full control when it comes to rolling out critical updates like this. Unless it's a Nexus device, the update first needs to pass through OEMs, who will perform their own tests and certifications before rolling it out. Worst case scenario, it also has to pass through carriers, who have their own suit of tests.

In short, it could take weeks, even months for a severe security hole to be fixed, and that's only for more recent devices that receive active updates from OEMs and carriers. Given that the Stagefright vulnerability affects most devices from Android 2.2 Gingerbread and later, about 95 percent of devices in the market, we can only hope that no one drags their feet in this matter.

SOURCE: Zimperium