Cybersecurity company Zimperium warned of a flaw in Android, the world’s most popular smartphone operating system, that allows hackers to gain control via a simple text message.
“Attackers need only your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS (text message),” said Zimperium Mobile Security in a blog post.
It noted that a fully-weaponised successful attack could actually delete the message before the recipient even sees it.
At the heart of this flaw is Android code known as Stagefright, said Zimperium. The code automatically pre-loads video snippets that are attached to text messages in order to spare recipients the time of waiting to view the clips.
Research by Zimperium’s Joshua Drake revealed that hackers can conceal malicious code in video files, which will be unleashed even if the message is never opened or read.
“The targets for this kind of attack can be anyone,” said the cyber-security firm.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.”
As such, Stagefright imperils around 950 million, or 95 per cent, of Android phones.
The cybersecurity firm said it reported the flaw to Google and provided the tech firm with patches to prevent breaches.
While Google has applied the patches to its internal code branches, Zimperium said it is only the start of “a very lengthy process of update employment.”
Fortunately, hackers do not appear to have taken advantage of the flaw.