New “Stagefright” Hack Exposes 275 Million Android Phones

March 19, 2016, 8:22 PM UTC
Android Security Hole Found By Researcher
A Samsung Electronics Co. Galaxy Note Edge smartphone running the Android mobile operating system displays the Google Inc. Hangouts app in this arranged photograph in New York, U.S., on Wednesday, July 29, 2015. A researcher at a security firm revealed a hole in Android's source code that hackers can exploit, if they have a phone's number, with a text. Photographer: Chris Goodney/Bloomberg via Getty Images
Photograph by Chris Goodney — Bloomberg via Getty Images

The Israeli security firm NorthBit has demonstrated an exploit that could allow hackers to access data and functions on a wide range of versions of Android, after users access malicious websites. The vulnerability that makes the hack possible exploits an Android code library called “Stagefright,” which processes several media formats. It was discovered last year, but apparently Google (GOOG) didn’t fix the weakness in all versions of Android.

As reported by Ars Technica, NorthBit has named its exploit “Metaphor.” Vulnerable versions of Android include versions 2.2 through 4.0, as well as 5.0 and 5.1. Altogether, about 275 million phones run those versions.

Get Data Sheet, Fortune’s technology newsletter.

The exploit does have two significant limiting factors. First, it has to execute different code to hijack each specific model of phone, making it more difficult for a hacker to deploy it at massive scale without building many different versions.

It is also effectively blocked in the latest version of Android, 6.0 Marshmallow, and Google has said a security patch released in October of 2015 protects some older installs.

For more on efforts to keep your phone secure, watch our video:

As Ars points out, however, updating to the latest operating system is not easy or even possible on all Android phones, so the best security advice is still pretty much the oldest one in the book—don’t click on unknown web addresses from untrusted sources.

Update: Here is Google’s full statement on the issue: “Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community’s research efforts as they help further secure the Android ecosystem for everyone.”

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward