Android Security

How 95% of Android Phones Can Be Hacked with a Single Text

Andre Infante 29-07-2015

A new Android vulnerability has the security world worried – and it leaves your Android phone extremely vulnerable. The issue comes in the form of six bugs in an innocuous Android module called StageFright, which is used for media playback.


The StageFright bugs allow a malicious MMS, sent by a hacker, to execute malicious code inside the StageFright module. From there, the code has a number of options for gaining control of the device. As of right now, something like 950 million devices are vulnerable to this exploit.

It is, simply put, the worst Android vulnerability in history.

Silent Takeover

Android users are already growing upset about the breach, and for good reason. A quick scan of Twitter shows many irate users popping up as the news permeates the web.

Part of what makes this attack so scary is that there’s little users can do to protect themselves against it. Likely, they wouldn’t even know that the attack has occurred. 


Normally, to attack an Android device, you need to get the user to install a malicious app. This attack is different: the attacker would simply need to know your phone number, and send a malicious multimedia message.

Depending on which messaging app you use, you might not even know that the message arrived. For example: if your MMS messages go through Andoid’s Google Hangouts How To Use Google Hangouts On Your Android Google+ Hangouts is Google's answer to chat rooms. You can hang out with up to 12 people using video, audio, and text chat, as well as several optional apps. Hangout is available on your Android... Read More , the malicious message would be able to take control and hide itself before the system even alerted the user that it had arrived. In other cases, the exploit might not kick in until the message is actually viewed, but most users would simply write it off as harmless spam text Identify Unknown Numbers and Block Spam Text Messages with Truemessenger for Android Truemessenger is a fantastic new app for sending and receiving text messages, and it can tell you who an unknown number is and block spam. Read More or a wrong number.

Once inside the system, code running within StageFright automatically has access to the camera and microphone, as well as bluetooth peripherals, and any data stored on the SD card. That’s bad enough, but (unfortunately) it’s just the start.

While Android Lollipop implements a number of security improvements 8 Ways Upgrading to Android Lollipop Makes Your Phone More Secure Our smartphones are full of sensitive information, so how can we keep ourselves safe? With Android Lollipop, which packs a big punch in the security arena, bringing in features that improve security across the board. Read More , most Android devices are still running older versions of the OS A Quick Guide To Android Versions & Updates [Android] If someone tells you they’re running Android, they’re not saying as much as you’d think. Unlike the major computer operating systems, Android is a broad OS that covers numerous versions and platforms. If you’d like... Read More , and are vulnerable to something called a “privilege escalation attack.” Normally, Android apps are “sandboxed What's A Sandbox, And Why Should You Be Playing in One Highly-connective programs can do a lot, but they're also an open invitation for bad hackers to strike. To prevent strikes from becoming successful, a developer would have to spot and close every single hole in... Read More “, allowing them to access only those aspects of the OS that they’ve been granted explicit permission to use. Privilege escalation attacks allow malicious code to “trick” the Android operating system into giving it more and more access to the device.


Once the malicious MMS has taken control of StageFright, it could use these attacks to take total control over older, insecure Android devices. This is a nightmare scenario for device security. The only devices totally immune to this issue are those running operating systems older than Android 2.2 (Froyo), which is the version that introduced StageFright in the first place.

Slow Response

The StageFright vulnerability was originally uncovered in April by Zimperium zLabs, a group of security researchers. The researchers reported the issue to Google. Google quickly released a patch to manufacturers – however, very few device makers have actually pushed the patch to their devices. The researcher who discovered the bug, Joshua Drake, believes that about 950 million of the estimated one billion android devices in circulation are vulnerable to some form of the attack.

Google’s own devices like the Nexus 6 have been partially patched according to Drake, although some vulnerabilities remain. In an email to FORBES on the subject, Google reassured users that,


“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device,”

However, this isn’t much comfort. Until Android Jellybean Top 12 Jelly Bean Tips For A New Google Tablet Experience Android Jelly Bean 4.2, initially shipped on the Nexus 7, provides a great new tablet experience that outshines previous versions of Android. It even impressed our resident Apple fan. If you have a Nexus 7,... Read More , the sandboxing in Android has been relatively weak, and there are several known exploits that can be used to get around it. It’s really crucial that manufacturers roll out a proper patch for this issue.

What Can You Do?

Unfortunately, hardware makers can be extremely slow to roll out these sorts of critical security patches. It’s certainly worth contacting your device manufacturer’s customer support department and asking for an estimate on when patches will be available. Public pressure will probably help speed things along.

For Drake’s part, he plans to reveal the full extent of his findings at DEFCON, an international security conference that takes place in early August. Hopefully, the added publicity will spur device manufacturers to release updates quickly, now that the attack is common knowledge.

On a broader note, this is a good example of why Android fragmentation is such a security nightmare.


On a locked-down ecosystem like iOS, a patch for this could be rushed out in hours. On Android, it may take months or years to get every device up to speed due to the enormous level of fragmentation. I’m interested to see what solutions Google comes up in the coming years to start to bring these security-vital updates out of device-makers’ hands.

Are you an Android user affected by this issue? Concerned about your privacy? Let us know your thoughts in the comments!

Image credit: Backlit Keyboard by Wikimedia

Related topics: Anti-Malware, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Monoranjan sutradhar
    March 9, 2019 at 2:21 am

    How to solve this issue which has affected my Android mobile "95% user recommended that"

  2. Anonymous
    August 18, 2015 at 1:17 am

    "Part of what makes this attack so scary is that there’s little users can do to protect themselves against it"..Please stop with the alarmist rhetoric.

    In the absence of a patch, all a user has to do is disable auto-retrieval of MMS messages in their texting app. If their app doesn't allow for changing this setting then they should be using a different app to begin with.

    The update problem isnt with Android but rather the big fat cell providers that have to mangle the OS before releasing it to their customers. Get rid of that practice you you will fix a headache for everyone in the Android Ethos.


  3. Anonymous
    August 14, 2015 at 1:42 am

    I have been using Textra for some time now, and they claim that Textra offers "Protection from Stagefright! ... Textra SMS protects by ensuring new video messages can not automatically run the exploit."

    However, when I run the "Stagefright Detector App" from Zimperium INC. it says that I am vulnerable, so I'm not sure how safe I really am. Maybe "Stagefright Detector App" is saying that I would be vulnerable IF I manually opened an infected message, even though Textra doesn't automatically open MMS messages now?

  4. Anonymous
    July 29, 2015 at 3:48 pm

    How do you know if your phone is infected? Suddenly my android is not working. Can't turn it on; know the battery is fully charged.

  5. Anonymous
    July 29, 2015 at 1:09 pm

    So, how do you know if you're infected and/or have the "patch"...?

    • Anonymous
      August 13, 2015 at 11:22 pm

      There are quite a few apps that find out for you, such as the Stagefright Detector App. Just do a search in the Play Store.

  6. Anonymous
    July 29, 2015 at 4:19 am

    Turn off auto retrieval of MMS. Hangouts has a setting for it, as well as many other messaging apps.

  7. Anonymous
    July 29, 2015 at 2:47 am

    FTW that's why I use iOS!

    • Anonymous
      July 29, 2015 at 4:07 pm

      Don't be too complacent about iOS. There is a texting exploit for iPhones that was reported last month that can totally lock and crash them. If I'm not mistaken, quite a few have been bricked because if it.

      • Anonymous
        August 15, 2015 at 3:08 pm

        Thank you for informing the as usual.. Egotistical. I was about to till I read your reply. No os is perfect.