The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher has found.
The scary exploit, which requires knowing only the victim's phone number, was developed by Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium.
Drake found multiple vulnerabilities in a core Android component called Stagefright that's used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.
There are many potential attack vectors because whenever the Android OS receives media content from any source it will run it through this framework, Drake said.
The library is used not just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information.
This means that users don't necessarily have to execute malicious multimedia files for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.
The researcher isn't sure how many applications rely on Stagefright, but he believes that just about any app that handles media files on Android uses the component in one way or another.
The MMS attack vector is the scariest of all because it doesn't require any interaction from the user; the phone just needs to receive a malicious message.
For example, the attacker could send the malicious MMS when the victim is sleeping and the phone's ringer is silenced, Drake said. After exploitation the message can be deleted, so the victim will never even know that his phone was hacked, he said.
The researcher didn't just find the vulnerabilities, but actually created the necessary patches and shared them with Google in April and early May. The company took the issues very seriously and applied the patches to its internal Android code base within 48 hours, he said.
That code gets shared in advance with device manufacturers that are in the Android partnership program, before it's released publicly as part of the Android Open Source Project (AOSP).
Unfortunately, due to the generally slow pace of Android updates, over 95% of Android devices are still affected, Drake estimates.
Even among Google's Nexus line of devices, which typically get patches faster than those from other manufacturers, only the Nexus 6 has received some of the fixes so far, the researcher said.
Android patches can take months to reach end-user devices through over-the-air updates. That's because manufacturers have to first pull Google's code into their own repositories, build new firmware versions for each of their devices, test them and then work with mobile carriers to distribute the updates. Devices older than 18 months generally stop receiving updates entirely, leaving them vulnerable to newly discovered issues indefinitely.
The vulnerabilities found by Drake affect devices running Android versions 2.2 and higher, which means that there are a huge number of devices that will probably never receive patches for them.
The researcher estimates that only around 20% to 50% of the Android devices that are in use today will end up getting patches for the issues he found. He noted that 50% is wishful thinking and that he would be amazed if that happened.
In an emailed statement, Google thanked Drake for his contribution and confirmed that patches have been provided to partners.
"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," the company said. "Android devices also include an application sandbox designed to protect user data and other applications on the device."
What attackers can do after they exploit the vulnerabilities found by Drake can vary from device to device. Their malicious code will be executed with the privileges of the Stagefright framework, which on some devices are higher than on others. In general the attackers will get access to the microphone, camera and the external storage partition, but won't be able to install applications or access their internal data.
That said, Drake estimates that on around 50% of the affected devices the framework runs with system privileges, making it easy to gain root access and therefore complete control of the device. On the other devices, attackers would need a separate privilege escalation vulnerability to gain full access.
Since the patches for these flaws are not yet in AOSP, device manufacturers that are not Google partners don't have access to them. It also means that third-party AOSP-based firmware like CyanogenMod is still likely vulnerable.
Drake shared the patches privately with some other affected parties, including Silent Circle and Mozilla.
Silent Circle included the fixes in version 1.1.7 of PrivatOS, the Android-based firmware it developed for its Blackphone privacy-focused device.
Mozilla Firefox for Android, Windows and Mac, as well as Firefox OS were affected by the flaws because they used a forked version of Stagefright. Mozilla fixed the issues in Firefox 38, released in May.
Drake plans to present more details about the vulnerabilities along with proof-of-concept exploit code at the Black Hat Security conference on Aug. 5.