A vice-president of the mobile security firm Zimperium recently revealed that 95% of all Android phone owners are vulnerable to malware attacks due to flaws in the media processing software (unfortunately named "Stagefright") that Google has used in its mobile operating system for the last five years. More troubling still, those attacks can be triggered without any action from a phone's user.

According to Zimperium’s Joshua Drake, a hacker could conceivably hide a virus in a video file, text the video to your phone number, unleash the virus via the Stagefright software and remove the text message without you knowing about it. Once that happened, the hacker could silently access photos stored on SD cards, Bluetooth radio, and the phone’s audio and video recording functions.

Drake informed Google of his discovery in April and the company responded to the threat within 48 hours, using patches supplied by Zimperium. “Patches have already been provided to partners that can be applied to any device,” Google informed Android Central. However, in the intervening months, Google’s Android partners have been slow to provide those patches to consumers.

Silent Circle patched its Blackphone and Mozilla eliminated the flaws in version 38 of its Firefox browser, which uses Stagefright to play videos, Zimperium reports. According to Forbes, HTC has addressed the issue in all projects released since early July. But most of the 950 million at-risk users remain vulnerable to attack because of slow responses from other smartphone makers and cell service providers.

For now, customers with Android version 2.2 or later are advised to contact their phone manufacturer or carrier service to inquire about patches for particular phone models.

Chris Raymond

Copyright © 2005-2015 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.