MPR News Chief Meteorologist Paul Huttner signs off

MPR News helps you turn down the noise and build shared understanding. Turn up your support for this public resource and keep trusted journalism accessible to all. 

Turn Up Your Support


Android is the most popular mobile operating system on Earth: 

 of smartphones run on it. And, according to mobile security experts at the firm 

, there's a gaping hole in the software — one that would let hackers break into someone's phone and take over, just by knowing the phone's number.


In this attack, the target would not need to goof up — open an attachment or download a file that's corrupt. The malicious code would take over instantly, the moment you receive a text message.


"This happens even before the sound that you've received a message has even occurred," says Joshua Drake, security researcher with Zimperium and co-author of 

. "That's what makes it so dangerous. [It] could be absolutely silent. You may not even see anything."


Here's how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it's received by the phone, Drake says, "it does its initial processing, which triggers the vulnerability."

The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery. That way the user doesn't have to waste time looking. But, Drake says, this setup invites the malware right in.

If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.

Once the attackers get in, Drake says, they'd be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. "It's really up to their imagination what they do once they get in," he says.

According to Zimperium, this set of vulnerabilities affects just about every active Android phone in use. Drake says he discovered it in his lab, and he does not believe that hackers out in the wild are exploiting it — at least not yet.

In correspondence in April and May, he shared his findings with Google, which makes the Android operating system. He even sent along patches to fix the bugs.

"Basically, within 48 hours I had an email telling me that they had accepted all of the patches I sent them, which was great," he says. "You know, that's a very good feeling."

But it goes away very quickly, he says, when you look at how long it'll take his Nexus, my Samsung Galaxy and your LG or ZTE to get those patches. Drake says that as few as 20 percent will get fixed, though the figure may be higher than that, "potentially up to the optimistic number of 50 percent."

Just half of affected smartphones is not a very optimistic estimate. And Google agrees with it.


The company declined a recorded interview. But Adrian Ludwig, the lead engineer for Android security, told NPR the flaw ranks as "high" in the team's 

; and they've notified partners and already sent a fix to the smartphone makers that use Android.


Whether it gets put into people's phones is not in Google's hands.


"In this case Google is not the actual one to blame," says 

, a senior research scientist at Northeastern University. "It's ultimately the manufacturer of your phone, in combination possibly with your carrier."


Android phones are very different from iPhones, for example. Apple runs a closed system: It controls the hardware and software, and it's fairly easy to ship out a major revamp. The company says 85 percent of iPhone users have the latest operating system, iOS 8.

 of mobile malware threats in the first quarter of 2014 were designed to run on Android devices.
Google gives its latest version of Android to manufacturers, and they then tweak it as they please. Carriers like Verizon and T-Mobile do more tweaking. The blog Android Central has described the challenge of updating the operating system as an "

." Earlier this year, a hole discovered in the Android 

Often, Mulliner says, manufacturers don't have a financial incentive to fix phones already sold.

"If you can save money by not producing updates, you're not going to do that," he says. "Since the market is moving that fast, it sometimes doesn't make sense for the manufacturer to provide an update."

NPR has asked leading phone makers and wireless service providers whether they'll fix the bug. We're waiting for responses and will post them to this page.

Updated 5:17 p.m. ET July 27: Google Issues Statement

After this story aired, Google said: "We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.

"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."

Updated 10:44 a.m. ET July 28: More Companies Respond

Here are the responses we've received so far from smartphone manufacturers and wireless carriers:

HTC: "Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix."

): "We patched Blackphone weeks ago!"
Samsung:

"Google notified us about the issue, and we are working to roll out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link."
Google Nexus:

"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at [the Black Hat conference]."



T-Mobile: "These kinds of security fixes are usually released by our third-party device partners, so we're working with them to ensure those security updates have been deployed." Also, the company says, "You may wish to contact the device manufacturers directly, as they can tell you more about their specific plans for these security update releases."  Copyright 2019 NPR. To see more, visit https://www.npr.org.

Science

Aarti Shahani

Author

A severe flaw in Android, the world's most popular smartphone operating system, would let hackers take over with just a text message.

Major flaw in Android phones would let hackers in with just a text

Go Deeper.

Like this?

News you can use in your inbox