A very serious security vulnerability in Google’s Android operating system allows a remote attacker to take complete control of their mobile phone by simply sending a text message. Furthermore, the recipient doesn’t even have to open it for the exploit to work!
The vulnerability was discovered in the Stagefright code of Android and has been in use since 2010 (as part of the 2.2 release). Google has sense patched the vulnerability but millions of devices are still at risk as Google no longer supports some older versions of the operating system.
“A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.” stated Josh Drake the security expert whom found the vulnerability.
The Stagefright code does preprocessing of videos sent over MMS and its this “preprocessing” code that allows the vulnerability to be exploited without being opened by the consumer.