95% of All Androids Can Be Hacked Via A Simple MMS

Six critical vulnerabilities in a core Android component called Stagefright have led to an exploit with which one can hack 95% of all Android devices in existence simply by sending them a slightly modified multimedia message (MMS).

Security expert Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium, was the one to discover the exploit in Google’s OS, which only requires knowing the victim’s phone number.

As far as the stock Messenger app is concerned, the exploit won’t occur unless the victim views an MMS with a video file containing malware on their device. However, in the case of other MMS applications such as Google Hangouts, the victim doesn’t even need to open the message or watch the attached video in order for the hack to be activated. The device will automatically process all media attachments in incoming Hangouts messages and, in turn, parse the attack code.

All that’s needed for the exploit to work is the victim’s phone number

According to Drake, under these dangerous circumstances, a hacker could quickly gain control over the device through remote code execution without any intervention from the victim. Even if they were to discover something fishy, the video would have already made its way into the phone’s Gallery app and there would be little the victim could do in order to protect their personal data. The hacker could also delete the message once the exploit is activated, leaving no trace of the malicious content.

Stagefright is the multimedia playback tool behind the automatic processing, playback and recording of multimedia files on Android devices. This framework is the culprit that makes it possible for remote code execution to be triggered once a message is received through MMS apps such as Google Hangouts. Drake warned that nearly every app that handles media files on the Android OS makes use of the Stagefright library in one way or another, essentially leaving devices prone to what are said to be the worst Android flaws ever.

The vulnerabilities have existed in the Google OS since version 2.2

According to Drake, the vulnerabilities have existed in the Google OS since version 2.2. Moreover, devices running Android versions prior to Jelly Bean (4.2) are at under greater threat, as previous versions of the OS don’t feature the exploit mitigations that were built into more recent versions.

In an effort to put an end to these vulnerabilities, Google has successfully patched its internal code branches. Android devices will also require over-the-air updates, though there’s no telling how long manufacturers will take in order to patch them.

  • Zawyar Ur Rehman

    Now we will need to wait for 1 year till the patch reaches us. As the manufacturers aren’t so good at delivering updates.

    • Muhammad Aamir

      You’re talking of Q-Mobile, I think. :D

      • Muhammad Hamza

        Huawei took more than one year to update honor 3C from jelly bean to Kit kat for coustomers in Pakistan

      • Zawyar Ur Rehman

        Hehe,not just Q-mobile, Samsung as well.

  • Fahad

    Switch to iPhone! iOS is a closed source operating system which makes it secure and stable

    • Muhammad Aamir

      Now, we know you have an iPhone :D

      • Fahad

        Salute to your thinking sir!

        • Muhammad Aamir

          Mazak Kita Si Yar, Tusi Serious Hi Go Gye :P

      • Flikpart

        From your comment it seems you are more obsessed with iPhone than him.

    • saloo

      iphone breaches are popular XD

      • Fahad

        Sir, may I know about those breaches??

        • Geek At Large

          Google “The Fappening”.

          • Fahad

            I must say, this site is really something! lol

      • MySchizoBuddy

        don’t know of any iOS breach that can infect 95% of iOS users

        • Fahid

          Ya right, they usually infect 100% of iOS users :P

    • Samee

      If one is to use a closed system, Windows Phone is a better and affordable option for majority.

      • Fahad

        please don’t say “better” , affordable yeah it sure is!

        • Fahid

          at least you can actually use Bluetooth on Windows Phone
          like transfer pics, ringtones etc.:D

          • Fahad

            lol you’re still on bluetooth? people are now on NFC and Air Drop mate!

            • Fahid

              oh, yeah I only had an NFC phone back 2012 and iPeople heard about it when..in the end of 2014! still I feel sympathy for iPeople
              transfer of NFC?
              1. Apple says NFC only for Apple Play
              2. NFC has a speed of less than half of 1 mbit/s
              3. and I am not even if NFC is use for file transfer as it is too slow

              and by the way Airdrop also uses Bluetooth as one of main sources for data transfer, so basically iPeople don’t even seem to know how iDevices are fooling iPeople.

              but luckily, android has WIFI Direct

              • Fahad

                lol. You need to get your information right first of all. Airdrop uses bluetooth just for pairing and then sends the files over Wifi! The “iPeople” actually uses Airdrop and almost none of android users use NFC or Wifi Direct!

                The video that came out in which the guy pulled out his nfc chip from the battery stating that it is some kinda spying chip by samsung was all over the internet and 90% of the stupid dumb android users actually ripped off their batteries! hahaha this shows how much “Android” users are using NFC and how dumb they are!!!

                Just FYI, the average speed of Airdrop is 30 ~ 50mbps!

      • Bilal Iqbal

        3310… no hack. No CRACK

    • Or you could simply switch to Windows Phone, where the hackers aren’t even interested.. :P

      • Fahad

        haha true that!

    • Aliyan Gohar

      Closed source is more dangerous than open source. If there’s a vulnerability no one will find it and it’ll be exploited like hell

      • Fahad

        no one except the vendor themselves! The point is breaches happen everywhere but an open source OS welcomes the hackers to screw it up while in a closed source OS, hackers have to do months/years of work and even after that a simple patch by the vendor can make the situation back to square one for the hackers

        • Saqib

          that’s why open source linux is way more secure than closed source windows?!

          • Sohaib Razzaq

            Linux being more secure then windows is a gimmick, point is no one bothers to discover linux exploits as there are hardly any users on linux, if someone does use linux then he is more of an expert pc user then your average windows user.
            Now coming onto www, most servers runs on unix and they get exploited to the death, just try LFI/RFI on 10 unix base hosted average websites and you will have root access in almost 3 cases.

            • Bilal Iqbal

              Servers are more likely target rathet than pc’s lol… they have linux

          • Fahad

            Point cleared by Sohaib Razzaq. Couldn’t be any clearer. Do you even know Android OS is based upon Linux kernel? Hackers always target such platforms that are famous among the people or they won’t be able to show you their existence. Android and iOS are equally distributed among the people and Android OS is an awful lot vulnerable than iOS. There is no operating system that is fully secured but Android OS is not at all secured.

        • Fahid

          another aspect worth mentioning is that, if there is a moron Programmer in Open Source programming, his stupidity will get busted in days and corrected.
          On Closed source Side, well! A Moron programmer won’t be recognized before he may have screwed who knows how many parts of the program due to his stupidity.

          So Hell Yeah, Closed Source for …..

    • Bilal Iqbal

      Really ??????

      • Fahad


    • Nemesis

      iphone ain’t for end-users or say panga users like me, I will never ever switch to iproduct either it’s phone or laptop.

      • Fahad

        It’s not about what you want brother. If a person is concerned about privacy he would switch. And you get to take a lot of pangas on iOS and Mac OS as well, but that’s a different debate.

  • TechTnT

    that’s why i hate the S-hi-tt-y Android.

  • Tariq

    Hackers will get to work right after reading this blog

    • Fahad

      Do you really think the hackers don’t already know about this??

      • Tariq

        Duh, I was being sarcastic

  • Abdullah

    Thanks i switched to windows phone

  • Fahid

    bla bla bla, the company named Zimperium discovered something that doesn’t even matters to any serious scale, so they only released their Golden finding in Political Choice of Words, where people can make assumptions on how dangerous it actually is!
    which in fact it is not, but you know if you would go to everyday people for security advise, you are in Luck, in a VERY BAD WAY!
    Yes Android will try to play the file but mediaserver will crash in doing so, because it isn’t actually a media file. Ya, maybe a few seconds of hanging before android will say an app is not responding, do you want close it or wait. That’s it