This story is over 5 years old.


These Bugs Could Leave 950 Million Android Devices Vulnerable to Hackers

The researcher who found them called them the worst Android bug ever discovered
Image: Kham Tran/Flickr

Your Android phone could be hacked completely unbeknownst to you, owing to newly discovered bugs that potentially affects as many as 950 million cell phone users, according to new research.

The critical bugs were found inside the Android Open Source Project (AOSP) source code, which powers Android devices, by Joshua Drake, a security researcher and co-author of the Android Hacker Handbook. For Drake, these are the worst vulnerabilities ever discovered in Android, both because of its widespread reach and because in theory, a hacker could use it to hack someone without the victim even noticing.


"This vulnerability can be triggered while you sleep," Drake, who is also VP of platform research and exploitation at security firm Zimperium zLabs, wrote in a blog post to be published on Monday. "Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone."

"This vulnerability can be triggered while you sleep."

That's possible because, according to Drake, a hacker only needs to send you a malicious file via Multimedia Message Service (MMS) to execute code on your phone to take advantage of these bugs, without you even interacting with the message. By doing that, the hacker can then record audio and video, and access pictures stored on the phone, according to Drake.

"This is Heartbleed for mobile," Chris Wysopal, the CTO of Veracode, told Motherboard in an email. Vulnerabilities like those found by Drake, he added, "are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS."

Drake found the bugs in an Android media playback engine called Stagefright, which makes the operating system play popular multimedia files. Drake will reveal all the details of his research at the upcoming Black Hat and Def Con security and hacking conferences in Las Vegas.

In the meantime, Drake has worked with Google to find a patch for the bugs, and the internet giant responded quickly to make a patch.


"We responded quickly and patches have already been provided to partners that can be applied to any device," Elizabeth Markman, a spokesperson for Google's Android team, told Motherboard in an email.

The problem is that patching isn't fully in the hands of Google.

The problem, however, is that patching isn't fully in the hands of Google. All the cell phone manufacturers that use Android now need to push out the patch to its customers, and it's anyone guess when that'll happen. Historically, some manufacturers have taken months to issue even critical patches. At times, for devices older than a year or 18 months, patches never come.

Thanks to how Android's newer versions isolate or "sandbox" apps, however, a hacker shouldn't have access to all the data on the phone even if they take advantage of Stagefright. But given Stagefright permissions, that still theoretically allows the hacker to snoop on the victim through the phone's camera and microphone, and steal pictures.

At this point, only SilentCircle's Blackphone and Mozilla Firefox have pushed patches out. It's unclear when other manufacturers will do the same. If you have Android, all you can do is wait, and install the update as soon as you get it.

This story has been updated to include Chris Wysopal's comments.