Hack Brief: The Android Text Attack

All a hacker would have to do to gain access to your device is send you a text message containing a malware-infected media attachment.


The malware hides inside a short video sent to a person’s phone number, according to NPR, which reported on the bug on Monday.

The attack mechanism exploits a Google Hangouts feature designed to streamline the experience of viewing video.

Another interesting aspect of the exploit is that once the it has been delivered, the hacker can delete the message before the user had been alerted about it, making attacks completely silent. Once the message is opened, the system is affected. Drake said that he uncovered the vulnerability, codenamed Stagefright, in an interview with Business Insider. Drake says that only Android phones below version 2.2 are not affected by this particular vulnerability.

Android has been racked with security flaws for years as malicious hackers increasingly target the mobile operating system.

The researcher estimates that only around 20 to 50 percent of the Android devices that are in use today will end up getting patches for the issues he found. He noted that 50 percent is wishful thinking and that he would be amazed if that happened.

Google gives its latest version of Android to manufacturers, and they then tweak it as they please. In 2014, over 1 billion Android devices shipped worldwide, according to researcher Strategy Analytics. On many phones, an attacker could gain complete control of the device. There hasn’t been any indication that malicious parties have attempted to use the attack… yet. This means they could get access to audio or media files or photographs stored via SD cards. And, as Google points out, Android is already designed with certain protections for user data. Vendors, including Samsung, LG, Huawei, and others, as well as wireless carriers, all have control over how updates are sent to other products. After that, it’s up to the vendor and/or carrier to push those updates to phones.

The researchers who found the flaws told NPR that they do not believe it is yet in use in the wild.

“The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device”, the spokeswoman said.

Here’s why: According to, as of June 1, Android 4.4 (KitKat) remains the most popular version of Android, even though it’s two iterations back, at 39% of the market.

Unlike the Apple iPhone, in which 84 percent of users run the current operating system, Android users regularly lag behind in updates.

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J Drake, carried out the research which will be presented at Black Hat USA on August 5.

Google’s innovative search technologies connect millions of people around the world with information every day. In total, the company has paid out $4 million since its bug bounties started in 2010.

A new Android vulnerability named Stagefright is one of the worst Android security holes ever.


The researcher didn’t just find the vulnerabilities, but actually created the necessary patches and shared them with Google in April and early May.

Android Security Flaw