A new report published by researchers indicates that a severe security flaw has been discovered within the Android mobile operating system that has already infected nearly a billion devices.
How it Works
The concept of the flaw is surprisingly simple: a hacker could simply send a photo or video message — containing malicious code — to a user’s Android device. Like receiving any other MMS, the user doesn’t need to take any action in order for the code to accessing information on the device.
“This happens even before the sound that you’ve received a messages has even occurred,” said Joshua Drake, a security researcher at Zimperium.
The entire process utilizes a service within Android called Stagefright. The malicious code access this service, and once the service has been breached, a hacker has gained access to not only data but access to functions on the Android device like the camera.
Seeking a Solution
The good news is that Zimperium, the mobile security firm that first reported the flaw, doesn’t believe hackers are exploiting the security flaw. But that doesn’t mean fixing the issue isn’t imperative.
With the help of some patches from Drake, Google was able to patch the security exploit in less than 48 hours after the company was notified. Unfortunately, getting this patch out to millions of Android users is an entirely different problem that must be faced.
Getting Manufacturers and Carriers On Board
When it comes to Android, Google is just one piece of the puzzle. They work with both hardware partners and the wireless carriers in order to push out Android updates, which is part of the infamous fragmentation issue that plagues the mobile OS.
Google has to send the patches over to the hardware manufacturers in order to implement them into all of their devices in a separate software update. Whether the manufacturers decide to implement the fix in a standalone update or incorporate it in an upcoming update is entirely up to them.
Once the manufacturers have a build, they must then take it to wireless carriers in order to go through a separate certification process for each carrier before finally being sent out in an over-the-air (OTA) update.
Some companies, like HTC, have already come forth and stated that they began implemented patches to fix this exploit in their Android headsets already.