Recently, a rather disturbing flaw has been discovered in the Android platform. Joshua Drak, from Zimperium zLabs, reported some serious flaws in the Android platform back in April, 2015. Simply by knowing a user's phone number, someone could send a text to that number and break into the device. The end user doesn't need to open a file, click on a link, or install a third-party piece of software. They only need receive a text.
To make matters worse, the malicious code takes over the second said text is received, even before Android has had a chance to notify you of the incoming missive.
How it works is simple:
- The hacker creates a short video
- The hacker tucks malicious code inside the video
- The hacker texts the video to your number
If you're using the Google Hangouts messenger app, the video processes the second it is received. The attacker could even delete the message before you noticed (if you ever noticed) anything had gone on. If, on the other hand, you're using the default messenger app, you would actually have to view the text before processing begins.
The flaw resides in the Android media playback system called Stagefright, which allows users to infiltrate a device and exfiltrate data. There are six major remote code execution bugs, and they are said to be the worst Android flaws to ever be uncovered. To make matters worse, most affected software has not been patched.
In some older devices, such as the Samsung Galaxy S4, the malicious code runs with escalated privileges, so the attacker gains access to even more data.
The good news is the patch for this vulnerability has been submitted and should find its way to your device very soon.
What to do now
Until the patch has managed to make its way to your device, your best bet is to not use Google Hangouts. Period. If you've adopted Hangouts as your default messaging tool, unset it. To do this, follow these steps:
- Open Hangouts
- Tap the overflow menu (three horizontal lines in the top left corner)
- Tap Settings in the sidebar
- Tap the account associated with Hangouts
- Locate Messages (under GOOGLE VOICE)
- Tap to uncheck Messages
- Open the default Android Messenger app
- Tap the menu button
- Tap Settings
- Tap Default SMS app
- Again, tap Default SMS app
- Select Messenger (Figure A)
Unsetting Google Hangouts as the default SMS client.
You should also consider using an SMS blocker tool, such as TEXT BLOCKER to help prevent incoming texts from unknown numbers.
At this point, at least you know that, in order for the malicious code to reach your system, you'll have to view the message (you don't even have to play the video). The safest bet is to not even view messages from unknown numbers.
Considering these bugs were reported back in April, it's fairly shocking to find out they still remain. I hope that the recent release of the known bug (and the ensuing barrage of media coverage) will help light a fire under Google and other application developers to fix this vulnerability.
- AppBugs and their quest to protect Android
- Secure your lost or stolen phone from another device with Cerberus commands
- Get serious about Android anti-theft with Cerberus
- AMC Security is a one-stop security shop for Android
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.