Beware of texts: More than 950M Android phones vulnerable to Stagefright MMS hack

Most hacker-related stories regarding Android are overdone with technopanic, but the newly discovered bug in Android's multimedia playback tool Stagefright is one that has users more concerned than usual.

The exploit in question happens when a hacker sends a MMS message containing a video that includes malware code. What's most alarming about it is that the victim doesn't even have to open the message or watch the video in order to activate it. The built-in Hangouts app automatically processes videos and pictures from MMS messages in order to have them ready in the phone's Gallery app.

As such, a hacker could have control of the device before the victim even knows about the text message, and even if they find the message right away, there is nothing they can do to prevent the malware from taking over their device. The hacker would have access to all data for copying or deleting, and even have access to the microphone and camera, all pictures on the device, as well as Bluetooth.

Here's everything you need to know about the hack and what's being done to patch it up on all the affected Android phones:

A researcher alerted Google

The exploit, which was discovered in April by Joshua Drake from Zimperium zLabs, comes from remote code execution bugs residing in the media playback tool in Android called Stagefright. Drake contacted Google and sent patches regarding the vulnerability on April 9, and Google immediately accepted them. Drake reported a second set of issues in May, bringing the total to seven vulnerabilities. Google confirmed that the patches were scheduled to be released.

Google made the following statement: "We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device."

"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," it continued. "Android devices also include an application sandbox designed to protect user data and other applications on the device."

Who's working on a patch

The problem is that most devices won't receive the patches for several months, if ever. Manufacturers are notoriously slow in providing updates, and the update process is further compounded by each mobile carrier's lengthy internal testing before the software's official release. It's not even certain if Google has patched its own Nexus devices yet. Drake did confirm the Nexus 6 was patched, but for only some of the issues. He praised Silent Circle for already updating the Blackphone, but the Nexus 6 and Blackphone represent a very small amount of Android phones.

HTC told Forbes that its patch will be available very soon: "Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix."

It is believed that all Android phones with Android 2.2 or higher are vulnerable to this attack. Considering there are more than 1 billion Android phones in use on the planet, it's safe to assume that more than 950 million phones are susceptible.

What can you do to avoid being hacked?

Unfortunately there isn't much the consumer can do. You could stop using the Hangouts app as your default messaging application, but it's still an issue with the Messenger app as well. The only difference is that the user must look at the message, but the video doesn't have to be played. Who isn't going to glance at a message to see what it is?

What makes things more confusing is that the Messenger app that Drake refers to is a Google app and it's the default SMS / MMS messaging app on Nexus devices. However, most Android phones don't include Messenger in favor of one that is developed by the manufacturer of the phone. It's unclear whether a hacker can gain access through something like Samsung's own Messages app, which is found on all Galaxy phones.

Then there is the issue of the hackers needing to know your phone number, but what would stop someone from sending millions of random messages?

The good news is that hackers weren't aware of the vulnerability, so it's unlikely anyone is utilizing it at the moment. However, disclosures of the bugs will be released today, which means that exploiters will have enough information to start writing code.

We are likely to find out more about the Stagefright vulnerability next week when Drake demonstrates his findings at the Black Hat and Defcon security events in Las Vegas. We'll keep you updated here.