As many as 950 million Android phones have been found susceptible to data theft after six critical vulnerabilities were exposed, a mobile security expert has warned.
The data theft attack, which can be initiated by a multimedia message sent to an Android phone, is so crippling that Android users would have a sparse chance of shielding themselves against the attack, Joshua Drake, vice president of platform research and exploitation at Zimperium, told Forbes.
For example, when the exploit code was run in Google Hangouts, it would start unpacking without even giving the user a notification to check the phone for the newly arrived message, Forbes reported.
The bug, which was reported and sent to Google by Drake, led the company to release patches to its partners, but apparently most phone manufacturers have yet to install the patches to safeguard customers — thereby, leaving over 95 percent of Google Android phones vulnerable to an attack.
The vulnerability was observed stemming from Stagefright, a media playback tool for Android that allows remote code execution to infiltrate the device and steal data using the permissions for Stagefright. Once the device has been hooked, the hacker could walk away with audio-video files, pictures stored on SD cards and even remotely control the device’s Bluetooth.
“I’ve done a lot of testing on an Ice Cream Sandwich Galaxy Nexus … where the default MMS is the messaging application Messenger. That one does not trigger automatically, but if you look at the MMS, it triggers, you don’t have to try to play the media or anything, you just have to look at it,” Drake said in an interview with Forbes.
And while Google has accepted the vulnerability reports and patches sent by Drake, it has yet to release some updates for its homemade Nexus phone, leaving the users at risk.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device,” Google said in a statement.