Android is the most popular mobile operating system on Earth: About 80 percent of smartphones run on it. And, according to mobile security experts at the firm Zimperium, there’s a gaping hole in the software — one that would let hackers break into someone’s phone and take over, just by knowing the phone’s number.
In this attack, the target would not need to goof up — open an attachment or download a file that’s corrupt. The malicious code would take over instantly, the moment you receive a text message.
“This happens even before the sound that you’ve received a message has even occurred,” says Joshua Drake, security researcher with Zimperium and co-author of Android Hacker’s Handbook. “That’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”
There’s A Solution, In Theory
According to Zimperium, this set of vulnerabilities affects just about every active Android phone in use. Drake says he discovered it in his lab, and he does not believe that hackers out in the wild are exploiting it — at least not yet.
In correspondence in April and May, he shared his findings with Google, which makes the Android operating system. He even sent along patches to fix the bugs.
“Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” he says. “You know, that’s a very good feeling.”
But it goes away very quickly, he says, when you look at how long it’ll take his Nexus, my Samsung Galaxy and your LG or ZTE to get those patches. Drake says that as few as 20 percent will get fixed, though the figure may be higher than that, “potentially up to the optimistic number of 50 percent.”
Updated 5:17 p.m. ET July 27: Google Issues Statement
After this story aired, Google said: “We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Updated 10:44 a.m. ET July 28: More Companies Respond
Here are the responses we’ve received so far from smartphone manufacturers and wireless carriers:
HTC: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
Silent Circle (on Twitter): “We patched Blackphone weeks ago!”
Samsung: “Google notified us about the issue, and we are working to roll out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link.”
Google Nexus: “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at [the Black Hat conference].”
T-Mobile: “These kinds of security fixes are usually released by our third-party device partners, so we’re working with them to ensure those security updates have been deployed.” Also, the company says, “You may wish to contact the device manufacturers directly, as they can tell you more about their specific plans for these security update releases.”