95% of All Androids Can Be Hacked Via A Simple MMS

Six critical vulnerabilities in a core Android component called Stagefright have led to an exploit with which one can hack 95% of all Android devices in existence simply by sending them a slightly modified multimedia message (MMS).

Security expert Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium, was the one to discover the exploit in Google’s OS, which only requires knowing the victim’s phone number.

As far as the stock Messenger app is concerned, the exploit won’t occur unless the victim views an MMS with a video file containing malware on their device. However, in the case of other MMS applications such as Google Hangouts, the victim doesn’t even need to open the message or watch the attached video in order for the hack to be activated. The device will automatically process all media attachments in incoming Hangouts messages and, in turn, parse the attack code.

All that’s needed for the exploit to work is the victim’s phone number

According to Drake, under these dangerous circumstances, a hacker could quickly gain control over the device through remote code execution without any intervention from the victim. Even if they were to discover something fishy, the video would have already made its way into the phone’s Gallery app and there would be little the victim could do in order to protect their personal data. The hacker could also delete the message once the exploit is activated, leaving no trace of the malicious content.

Stagefright is the multimedia playback tool behind the automatic processing, playback and recording of multimedia files on Android devices. This framework is the culprit that makes it possible for remote code execution to be triggered once a message is received through MMS apps such as Google Hangouts. Drake warned that nearly every app that handles media files on the Android OS makes use of the Stagefright library in one way or another, essentially leaving devices prone to what are said to be the worst Android flaws ever.

The vulnerabilities have existed in the Google OS since version 2.2

According to Drake, the vulnerabilities have existed in the Google OS since version 2.2. Moreover, devices running Android versions prior to Jelly Bean (4.2) are at under greater threat, as previous versions of the OS don’t feature the exploit mitigations that were built into more recent versions.

In an effort to put an end to these vulnerabilities, Google has successfully patched its internal code branches. Android devices will also require over-the-air updates, though there’s no telling how long manufacturers will take in order to patch them.


  • Now we will need to wait for 1 year till the patch reaches us. As the manufacturers aren’t so good at delivering updates.

    • If one is to use a closed system, Windows Phone is a better and affordable option for majority.

            • oh, yeah I only had an NFC phone back 2012 and iPeople heard about it when..in the end of 2014! still I feel sympathy for iPeople
              transfer of NFC?
              1. Apple says NFC only for Apple Play
              2. NFC has a speed of less than half of 1 mbit/s
              3. and I am not even if NFC is use for file transfer as it is too slow

              and by the way Airdrop also uses Bluetooth as one of main sources for data transfer, so basically iPeople don’t even seem to know how iDevices are fooling iPeople.

              but luckily, android has WIFI Direct

              • lol. You need to get your information right first of all. Airdrop uses bluetooth just for pairing and then sends the files over Wifi! The “iPeople” actually uses Airdrop and almost none of android users use NFC or Wifi Direct!

                The video that came out in which the guy pulled out his nfc chip from the battery stating that it is some kinda spying chip by samsung was all over the internet and 90% of the stupid dumb android users actually ripped off their batteries! hahaha this shows how much “Android” users are using NFC and how dumb they are!!!

                Just FYI, the average speed of Airdrop is 30 ~ 50mbps!

    • Closed source is more dangerous than open source. If there’s a vulnerability no one will find it and it’ll be exploited like hell

      • no one except the vendor themselves! The point is breaches happen everywhere but an open source OS welcomes the hackers to screw it up while in a closed source OS, hackers have to do months/years of work and even after that a simple patch by the vendor can make the situation back to square one for the hackers

          • Linux being more secure then windows is a gimmick, point is no one bothers to discover linux exploits as there are hardly any users on linux, if someone does use linux then he is more of an expert pc user then your average windows user.
            Now coming onto www, most servers runs on unix and they get exploited to the death, just try LFI/RFI on 10 unix base hosted average websites and you will have root access in almost 3 cases.

          • Point cleared by Sohaib Razzaq. Couldn’t be any clearer. Do you even know Android OS is based upon Linux kernel? Hackers always target such platforms that are famous among the people or they won’t be able to show you their existence. Android and iOS are equally distributed among the people and Android OS is an awful lot vulnerable than iOS. There is no operating system that is fully secured but Android OS is not at all secured.

        • another aspect worth mentioning is that, if there is a moron Programmer in Open Source programming, his stupidity will get busted in days and corrected.
          On Closed source Side, well! A Moron programmer won’t be recognized before he may have screwed who knows how many parts of the program due to his stupidity.

          So Hell Yeah, Closed Source for …..

    • iphone ain’t for end-users or say panga users like me, I will never ever switch to iproduct either it’s phone or laptop.

      • It’s not about what you want brother. If a person is concerned about privacy he would switch. And you get to take a lot of pangas on iOS and Mac OS as well, but that’s a different debate.

  • bla bla bla, the company named Zimperium discovered something that doesn’t even matters to any serious scale, so they only released their Golden finding in Political Choice of Words, where people can make assumptions on how dangerous it actually is!
    which in fact it is not, but you know if you would go to everyday people for security advise, you are in Luck, in a VERY BAD WAY!
    Yes Android will try to play the file but mediaserver will crash in doing so, because it isn’t actually a media file. Ya, maybe a few seconds of hanging before android will say an app is not responding, do you want close it or wait. That’s it


  • >