So listen: Can I have your number?
Can I have it? Can I? Have it?
Um…maybe not. Actually, you should think twice before giving away your cell phone number—especially if you happen to own a phone that runs on Google’s Android operating system.
That’s the only thing a hacker needs to compromise a handset.
A mobile security researcher has uncovered a flaw that leaves as many as 95% of Android devices—that’s 950 million gadgets—exposed to attack. The computer bug, nicknamed “Stagefright” after a vulnerable media library in the operating system’s open source code, may be one of the worst Android security holes discovered to date. It affects Android versions 2.2 and on.
Should a hacker learn someone’s cell phone number, all it takes is for that person to send a malware-laced Stagefright multimedia message to an affected phone in order to steal its data and photos or to hijack its microphone and camera, among other nefarious actions. Worse yet, a user might have no idea that his or her device has been compromised.
Joshua Drake, vice president of research and exploitation at the mobile security firm Zimperium zLabs, says an attacker can delete the message before a victim has any idea.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” he writes on his company’s blog. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
When Drake reported the severe vulnerabilities along with potential fixes to Google (GOOG) in April (as well as another set May), the company, he writes, “acted promptly and applied the patches to internal code branches within 48 hours.” That doesn’t mean the problem is resolved, however.
As Forbes reporter Thomas Fox-Brewster writes, device manufacturers will still need to push the updates out in order to safeguard their customers. Google’s major Android partners, which include phone-makers like LG, Lenovo (LNVGY), Motorola, Samsung (SSNLF), and Sony (SNE) were not immediately available to comment. (Fortune has reached out to these handset makers. We will update this when we hear back.)
An HTC (HTC) spokesperson responded: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
Drake praises the security firm Silent Circle, based in Geneva, Switz., which makes the Blackphone handset, for its quick response protecting users since it released PrivatOS version 1.1.7. He also praises Mozilla, maker of the Firefox web browser, for including fixes since version 38. “We applaud these vendors for prioritizing security and releasing patches for these issues quickly.”
“This is Heartbleed for mobile,” said Chris Wysopal, chief tech and information security officer at the application security firm Veracode. These vulnerabilities “are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS.”
Drake plans to present his research at the Black Hat and Def Con security conferences in Las Vegas next month.
So, um, can I have your number?
Update July 27, 2015 — Google told Fortune:
We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.
Update July 28, 2015 —
Google Nexus told Fortune:
As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.
(You can read more about Android security from Adrian Ludwig, Google’s lead Android security engineer, here.)
Samsung told Fortune:
Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users. Google notified us about the issue, and we are working to roll-out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link.
Motorola told Fortune:
After Google informed us in late June, we’ve been working to integrate, test and deploy the patches. It has been included in many of our recent Lollipop upgrades for current products and we’ll include it in the remaining planned Lollipop upgrades as soon as possible. All of our products being announced on July 28 will have the patch integrated into the software.