Mobile security expert Joshua Drake, from Zimperium zLabs warned that sometimes phones parse the attack code before the message being opened. This makes the exploits silent and the user would have little chance of defending their data. The vulnerabilities are the worst Android flaws ever uncovered, Drake claimed.
Drake had warned Google about the six bugs and Google has sent out patches to its partners. However most manufacturers have not made fixes available to protect their customers.
“All devices should be assumed to be vulnerable,” Drake said.
He believes as many as 950 million Android phones could be affected, going on figures suggesting there are just over 1 billion in use. Only Android phones below version 2.2 are unaffected.
The bug is in Stagefright which is an Android media playback tool. All attackers send out exploits as mobile phone numbers. From there, they could send an exploit packaged in a Stagefright multimedia message. This allows them to write code to the device and steal data from sections of the phone that Stagefright controls.
Recording of audio and video, and snooping on photos stored in SD cards would be possible. Bluetooth would also be hackable via Stagefright.
The victim might never know they had even received a message. Drake found that when the exploit code was opened in Google Hangouts it would “trigger immediately before you even look at your phone.”