A major vulnerability has been discovered in the Android operating system that could impact close to one billion users.  Thankfully, it is more of a proof-of-concept threat at this point and has not surfaced as an exploit in the wild yet.  Android users should monitor developments and patch promptly as security updates are rolled out in the future.




Imagine that you want to infect someone else’s Android smartphone, but you cannot get physical access to the device. The normal method would be to attempt to trick the phone’s owner into installing a malicious app, or fool them into clicking on a link that points to a webpage that exploits a vulnerability that silently installs malware onto the device. That would be the normal method.

But Joshua Drake, a security firm with Zimperium, has found a serious vulnerability that does away with all that, and requires no interaction at all by the user. In fact, the vulnerability could allow a hacker to infect your mobile phone, while you’re fast asleep.  What Drake has uncovered is a way of breaking into an Android user’s phone, and hijacking control of it, just by sending a MMS message with a maliciously-crafted movie file.  Once in place, the malware could secretly steal information and spy on your conversations without your knowledge.

Fortunately, Josh Drake believes in responsible disclosure and not only informed Google’s security team of the serious security hole but also provided patches for their code at the same time. But, unfortunately, the problem doesn’t end there. Because even if Google patches Android, that’s very different from the estimated 950 million Android devices around the world *receiving* updates to their vulnerable devices.  The only silver lining is that, so far at least, there is no evidence that the flaw has been exploited by malicious hackers in the wild. Nonetheless, if you are one of the lucky Android users who finds themselves able to to install an update, I would recommend that you did as soon as possible.