Most Android phones can be hacked with a simple MMS message or multimedia file

Vulnerabilities in the Android multimedia framework allow attackers to remotely compromise devices with ease, a researcher said

The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher has found.

The scary exploit, which only requires knowing the victim's phone number, was developed by Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium.

Drake found multiple vulnerabilities in a core Android component called Stagefright that's used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.

There are many potential attack vectors because whenever the Android OS receives media content from any source it will run it through this framework, Drake said.

The library is not used just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information.

This means that users don't necessarily have to execute malicious multimedia files in order for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.

The researcher isn't sure how many applications rely on Stagefright, but he believes that just about any app that handles media files on Android uses the component in one way or another.

The MMS attack vector is the scariest of all because it doesn't require any interaction from the user; the phone just needs to receive a malicious message.

For example, the attacker could send the malicious MMS when the victim is sleeping and the phone's ringer is silenced, Drake said. After exploitation the message can be deleted, so the victim will never even know that his phone was hacked, he said.

The researcher didn't just find the vulnerabilities, but actually created the necessary patches and shared them with Google in April and early May. The company took the issues very seriously and applied the patches to its internal Android code base within 48 hours, he said.

That code gets shared in advance with device manufacturers that are in the Android partnership program, before it's released publicly as part of the Android Open Source Project (AOSP).

Unfortunately, due to the generally slow pace of Android updates, over 95 percent of Android devices are still affected, Drake estimates.

Even among Google's Nexus line of devices, which typically get patches faster than those from other manufacturers, only the Nexus 6 has received some of the fixes so far, the researcher said.

Android patches can take months to reach end-user devices through over-the-air updates. That's because manufacturers have to first pull Google's code into their own repositories, build new firmware versions for each of their devices, test them and then work with mobile carriers to distribute the updates. Devices older than 18 months generally stop receiving updates entirely, leaving them vulnerable to newly discovered issues indefinitely.

The vulnerabilities found by Drake affect devices running Android versions 2.2 and higher, which means that there are a huge number of devices that will probably never receive patches for them.

The researcher estimates that only around 20 to 50 percent of the Android devices that are in use today will end up getting patches for the issues he found. He noted that 50 percent is wishful thinking and that he would be amazed if that happened.

In an emailed statement, Google thanked Drake for his contribution and confirmed that patches have been provided to partners.

"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," the company said. "Android devices also include an application sandbox designed to protect user data and other applications on the device."

What attackers can do after they exploit the vulnerabilities found by Drake can vary from device to device. Their malicious code will be executed with the privileges of the Stagefright framework, which on some devices are higher than on others. In general the attackers will get access to the microphone, camera and the external storage partition, but won't be able to install applications or access their internal data.

That said, Drake estimates that on around 50 percent of the affected devices the framework runs with system privileges, making it easy to gain root access and therefore complete control of the device. On the rest of devices, attackers would need a separate privilege escalation vulnerability to gain full access.

Since the patches for these flaws are not yet in AOSP, device manufacturers that are not Google partners don't have access to them. It also means that third-party AOSP-based firmware like CyanogenMod is still likely vulnerable.

Drake shared the patches privately with some other affected parties, including Silent Circle and Mozilla.

Silent Circle included the fixes in version 1.1.7 of PrivatOS, the Android-based firmware it developed for its Blackphone privacy-focused device.

Mozilla Firefox for Android, Windows and Mac, as well as Firefox OS were affected by the flaws because they used a forked version of Stagefright. Mozilla fixed the issues in Firefox 38, released in May.

Drake plans to present more details about the vulnerabilities along with proof-of-concept exploit code at the Black Hat Security conference on Aug. 5.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Silent CircleintrusionGoogleZimperiumsecuritymobile securityExploits / vulnerabilitiesmozilla

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?