Android is the most popular mobile operating system on Earth: About 80 percent of smartphones run on it. And, according to mobile security experts at the firm Zimperium, there’s a gaping hole in the software — one that would let hackers break into someone’s phone and take over, just by knowing the phone’s number.
Just A Text
In this attack, the target would not need to goof up — open an attachment or download a file that’s corrupt. The malicious code would take over instantly, the moment you receive a text message.
“This happens even before the sound that you’ve received a message has even occurred,” says Joshua Drake, security researcher with Zimperium and co-author of Android Hacker’s Handbook. “That’s what makes it so dangerous. [It] could be absolutely silent. You may not even see anything.”
Here’s how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it’s received by the phone, Drake says, “it does its initial processing, which triggers the vulnerability.”
Google’s upcoming “now on tap” feature will let smartphone users ask a question within an app like Spotify.
The messaging app Hangouts instantly processes videos, to keep them ready in the phone’s gallery. That way the user doesn’t have to waste time looking. But, Drake says, this setup invites the malware right in.
If you’re using the phone’s default messaging app, he explains, it’s “a tiny bit less dangerous.” You would have to view the text message before it processes the attachment. But, to be clear, “it does not require in either case for the targeted user to have to play back the media at all,” Drake says.
Once the attackers get in, Drake says, they’d be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. “It’s really up to their imagination what they do once they get in,” he says.
There’s A Solution, In Theory
According to Zimperium, this set of vulnerabilities affects just about every active Android phone in use. Drake says he discovered it in his lab, and he does not believe that hackers out in the wild are exploiting it — at least not yet.
In correspondence in April and May, he shared his findings with Google, which makes the Android operating system. He even sent along patches to fix the bugs.
“Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great,” he says. “You know, that’s a very good feeling.”
But it goes away very quickly, he says, when you look at how long it’ll take his Nexus, my Samsung Galaxy and your LG or ZTE to get those patches. Drake says that as few as 20 percent will get fixed, though the figure may be higher than that, “potentially up to the optimistic number of 50 percent.”
Android Partnerships Are Complicated
Just half of affected smartphones is not a very optimistic estimate. And Google agrees with it.
The company declined a recorded interview. But Adrian Ludwig, the lead engineer for Android security, told NPR the flaw ranks as “high” in the team’s hierarchy of severity; and they’ve notified partners and already sent a fix to the smartphone makers that use Android.
Whether it gets put into people’s phones is not in Google’s hands.
“In this case Google is not the actual one to blame,” says Collin Mulliner, a senior research scientist at Northeastern University. “It’s ultimately the manufacturer of your phone, in combination possibly with your carrier.”
Android phones are very different from iPhones, for example. Apple runs a closed system: It controls the hardware and software, and it’s fairly easy to ship out a major revamp. The company says 85 percent of iPhone users have the latest operating system, iOS 8.
According to security firm F-Secure, 99 percent of mobile malware threats in the first quarter of 2014 were designed to run on Android devices.
Google gives its latest version of Android to manufacturers, and they then tweak it as they please. Carriers like Verizon and T-Mobile do more tweaking. The blog Android Central has described the challenge of updating the operating system as an “impossible problem.” Earlier this year, a hole discovered in the Android Web-browsing app was left largely unpatched too.
Often, Mulliner says, manufacturers don’t have a financial incentive to fix phones already sold.
“If you can save money by not producing updates, you’re not going to do that,” he says. “Since the market is moving that fast, it sometimes doesn’t make sense for the manufacturer to provide an update.”
NPR has asked leading phone makers and wireless service providers whether they’ll fix the bug. We’re waiting for responses and will post them to this page.
Updated 5:17 p.m. ET July 27: Google Issues Statement
After this story aired, Google said: “We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.”
Updated 10:44 a.m. ET July 28: More Companies Respond
Here are the responses we’ve received so far from smartphone manufacturers and wireless carriers:
HTC: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
Silent Circle (on Twitter): “We patched Blackphone weeks ago!”
Samsung: “Google notified us about the issue, and we are working to roll out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link.”
Google Nexus: “As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at [the Black Hat conference].”
T-Mobile: “These kinds of security fixes are usually released by our third-party device partners, so we’re working with them to ensure those security updates have been deployed.” Also, the company says, “You may wish to contact the device manufacturers directly, as they can tell you more about their specific plans for these security update releases.”