A security researcher has found an easily exploitable way to hack into phones operating on the Android operating system. Joshua Drake, vice president of platform research and exploitation at Zimperium, a mobile security firm, found that many Android phones are susceptible to hacking through a specially crafted multimedia message (MMS). The vulnerabilities are present in a core Android component called Stagefright. This component is used to process, play and record multimedia files on a smartphone.

The vulnerabilities found by Drake could be exploited even if the user does not execute malicious multimedia files. During his investigation, he found that he could trigger a remote code execution on an Android phone using an MMS message, a Web page with embedded multimedia content, or a specially crafted video file. Media content from any source run through this framework could be a potential attack vector. Hackers only need to know the victims phone number to hack into their phone.

The Android phone could be made vulnerable if multimedia files are copied onto the file system. This is because the library automatically generates thumbnails and extracts metadata from video and audio files. The finding is alarming because the Android phone could be corrupted without any interaction from the user. In many of the scenarios studied, the victim would never even know that their phone had been compromised.

In addition to finding the vulnerabilities, the researcher also created the necessary patches and shared them with Google. Google took the issues raised by the security researcher seriously and applied the patches to its internal Android code base within 48 hours. The code was shared with the device manufacturers in the Android partnership program and will be released publicly as part of the Android Open Source Project (AOSP).

Drake estimates over 95 percent of Android devices are still affected due to the slow pace of Android updates. The number of applications rely on Stagefright was not disclosed by the research, but the current assumption is that any app that handles media files on Android phones uses the component is some way.