Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.

The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.

In a blog post published Monday, Zimperium researchers wrote:

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.

The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month's Black Hat security conference in Las Vegas, where he's scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.

Drake said all versions of Android after and including 2.2 are potentially vulnerable and that it's up to each device manufacturer to patch the bug. So far, very few devices have been patched, leading him to estimate that about 95 percent of devices—or about 950 million of them—are currently susceptible. Even Google's Nexus 5 handsets, which typically receive security fixes long before most other Android handsets—remain vulnerable. Nexus 6 devices, meanwhile, were patched only recently against some but not all Stagefright attacks. Vulnerable devices running Android versions prior to 4.3 (Jelly Bean) are at the greatest risk, since earlier Android versions lack some of the more recent exploit mitigations. Fixes require an over-the-air update.

Enter Firefox

Interestingly, the Stagefright vulnerability also affects Firefox on all platforms except Linux, and that includes the Firefox OS. Firefox developers have patched the vulnerability in versions 38 and up.

"If you install Firefox 38, you can no longer get exploited directly via Firefox," Drake told Ars. "However, if I make your Firefox download the malicious video instead of trying to play it with a <video width="300" height="150"> tag, it will still reach the vulnerable Android code."

SilentCircle, maker of the Blackphone Android handset, has also patched the vulnerability in its PrivatOS with the release of version 1.1.7.

Android is designed with a security sandbox that prevents most apps from being able to access data used by other apps. That goes a long way to containing the damage Stagefright and similar code-execution exploits can do. In theory, for instance, it should prevent Stagefright exploits from sniffing login credentials used by a properly designed banking app. Still, Drake warned that successful exploits at the very least provide direct access to a phone's audio and camera feeds and to the external storage. Worse still, many older phones grant elevated system privileges to Stagefright code, a design that could allow attackers access to many more device resources.

"The attacker would have remote arbitrary code execution and thus escaping the sandbox is only a small step away," Drake said. He said existing root exploits, including those known PingPongRoot, Towelroot, and put_user, would likely help an attacker break free of the sandbox and gain much wider control over a vulnerable device.

For now, there's not much end users can do to protect themselves other than to install a patch as soon as one becomes available for their specific Android device. People can also prevent MMS messages from automatically loading in Google Hangouts or other text apps. That will prevent malicious code from being automatically loaded but won't protect against other attack vectors. There's no indication that the bug is being actively exploited in the wild. Google has thanked Drake for privately reporting the vulnerability and has since made a patch available to partners. But as we all know, it can take years for security fixes to reach some models, and many devices never receive them.

Post updated in the last paragraph to add sentences about turning off automatic loading of MMS messages.