Got android? You get a security problem! Over 950 million devices at risk!

If you care about security it has been a pretty sucky week.

securityexploitFirst the hack (no pity for the cheaters though), then someone hacks a jeep, and OSX gets a pretty bad flaw and just when android people started to feel smug, this comes along.

Android devices can be infected with malware hidden in text messages and all a hacker needs is a phone number to send the booby-trapped multimedia text that will silently run software of their choice on the victim’s phone.

The flaw lives in a software library called Stagefright, a critical part of the Android operating system. The flaw has a worrying property that will execute malicious code embedded in a video sent as an MMS. The target does not even have to open or preview the text. Just receiving the message is enough to compromise a handset proving to be a highly virulent method of infecting large numbers of android devices. Hopes are that there is an update in the works but we expect that there will be no saving anyone running versions of Android prior to Jellybean as the operating system does not employ a security measure known as sandboxing. The prevents apps from reaching outside of their own memory space to access data from other apps. Later versions of Android (Jellybean 4.1 and later) do employ sandboxing but it is not unusual to see this kind of measure defeated in previous attacks.

Acronis True Image 2016 with cloud

Currently the only fix is to disable Google Hangouts and MMS messaging services in the phone. There is a patch that has been released but is only available to Google/Motorola Nexus phones while the various manufacturers work on deploying the same patch to their devices.

While on the subject of videos breaching security for Android, there is also a flaw in the Firefox browser for Android that displays the same security wrinkle. Upgrading to the latest version is highly recommended.

On the bright side, if you own a Windows phone the bad guys don’t care about you.Yet.

Get the original story from the register here.