In a blog post published today by the researchers at Zimperium Mobile Security, the group divulged an extremely widespread security vulnerability that can be exploited with nothing more than a targeted MMS message. The hole exists in the part of the Android operating system called Stagefright, which handles the processing of certain types of multimedia.

How it works

If targeted, the hypothetical hacker needs only to send an MMS message, which in many cases doesn't even need to be read before the attacker gains access to the victim's microphone and camera. The file will contain malicious code that executes by taking advantage of the problems in the Stagefright codebase. In the worst case, Zimperium says, the attacker could remove any trace of the offending MMS before the end user is even made aware that one is received.

When MMS content is automatically downloaded, as is the default setting in Hangouts and many other applications, the owner of the phone doesn't have to interact with the message at all for malicious code to get privileged access in the system. There are several variables at this point in the process that affect just how much damage can be done.

Zimperium's lead researcher Josh Drake warns that a sophisticated attacker could take advantage of the weaknesses used for Towelroot and PingPongRoot to wreak even more havoc in devices running firmware that doesn't include those patches.

Google has emphasized the "sandboxing" that occurs in Android as an effective method of protecting users, which it is. Apps in general can only interact via certain vectors as a way to prevent one piece of malware from stealing or altering data in others. This mostly holds true with the Stagefright exploit, but all bets are off if root access is gained. The attacker will have more privileges than the messaging app sandbox would normally allow, too.

@ncweaver it runs with higher privilege. in some cases with "system" — Joshua J. Drake (@jduck) July 27, 2015

A point of emphasis is that this is not a Messages/Hangouts/MMS bug. The weakness is in the part of the OS known as Stagefright which handles media playback and could be exploited in multiple ways. The MMS message is simply the easiest way for a hacker to target a particular person without the victim having any way to defend his or herself.

The nitty gritty details still haven't been revealed in full to avoid very explicitly handing instructions to hackers, but they will be discussed at a conference in the coming days, as is accepted practice in the security community.

Who is vulnerable

At this point, fortunately, it isn't believed that any hackers have been capitalizing on this vulnerability. With that said, updates have reached exceedingly few devices at this point in time. All but the absolute newest builds of Android 5.1.1 could be exploited, but over time patches will reach builds as old as KitKat.

Having older software is no use either, as users with Gingerbread 2.2 and possibly even before aren't safe. In fact, experts warn, 2.x builds are the most vulnerable since there are so many known methods for the attacker to gain root access.

Zimperium estimates that 95% of Android users have some portion of the Stagefright security holes. That does not mean that 95% will be targeted, since it is far from the type of thing the novice hacker would have the know-how to implement.

This shouldn't cause a mass panic, but it nonetheless is a big problem for Android in general. There is some safety in numbers, so you don't need to feel like you're about to be hacked, but this is a serious big picture issue.

How it is being fixed

Josh Drake told Google about the problems privately in April. There are several patches now included in all OS versions from KitKat 4.4 and onward, but very few end user phones are protected at this point.

This brings into further focus the problems of OEM and carrier control over software updates, since it is likely to be a long time before devices receive patches if they ever do.

According to Ars Technica, though, the Nexus 5 running 5.1.1 is still fully exploitable and the Nexus 6 is only partially patched. Since everyone will be eager to assign blame, it is important to recognize that even Google's own flagships aren't "fixed" yet in spite of months to take action.

PrivatOS, the customized Android version for Silent Circle's Blackphone, is one of few to have already pushed updates. CyanogenMod has implemented Google's patches for the past two weeks of builds. Drake and collaborators also found that Firefox could be penetrated with a similar method, but it has been made safe since v38 (the current stable version is v39).

What users can do

In many ways, unfortunately, you're helpless. If possible, use a messaging app that allows you to disable automatic downloading of MMS attachments. This is the behavior that allows you to be exploited via a message without you even knowing. You could also consider blocking messages from unknown numbers if your messaging software allows.

Still, as the man who publicized the Stagefright vulnerabilities said, MMS is just one of many ways you can be exploited.

@BridgetCarey It would only block the worst of many attack vectors. An attack through the browser, for example, would still be possible. — Joshua J. Drake (@jduck) July 27, 2015

While he hasn't come out and said "don't use Chrome," Drake has suggested that Firefox is your best bet to avoid hacking by browser.

@benmmurphy @suka_hiroaki even in the browser it runs out of process... except for Firefox =) — Joshua J. Drake (@jduck) July 27, 2015

By and large, he has been dismissive about suggestions that app makers can protect users because the problem is at the OS level. General suggestions include trying to avoid attempt at social engineering that would trick you into opening malicious messages, files, or websites. Your best bet, though, is convincing those in charge to fix the OS: