Smartphone owners warned to keep close eye on texts as details of new bug are revealed
Smartphone owners are being told to keep a close eye on incoming text messages after details of a new bug were revealed.
A security flaw in Android phones could give control to a hacker via a simple text message and without any action taken by phone’s owner. It means that the only thing a hacker needs to attack a phone is the owner’s contact details or number.
The flaw, discovered by US IT security expert Joshua Drake, has yet to produce any reported victims. However, experts have warned that 95pc of the world’s 1bn Android phones are at risk and that phones between one and three years old could be particularly vulnerable.
Google says that it has come up with a fix for the flaw but can only apply it directly to its own Nexus phones. For most of the world’s Android smartphones -- including an estimated 2m Irish Android phones -- it is the manufacturer who must release a direct security patch. So far, top-selling brands such as Samsung, HTC, Sony and Huawei have not yet issued a security patch.
To protect against the bug, Android users have been advised to activate a setting on their phone that blocks messages from unknown users. This is done by choosing ‘settings’ in the ‘messages’ app and then selecting the option that blocks messages from unknown senders.
A spokeswoman for Google said that a security patch has been issued for the flaw.
“This vulnerability was identified in a laboratory setting on older Android devices and as far as we know, no one has been affected,” she said. “As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users. As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat.”
The bug works by exploiting Android’s media library, called Stagefright. Using this flaw, a video message sent to your phone does not have to be played by the user to infect the phone.
Mr Drake, vice president of platform research and exploitation at Zimperium, said that he would release further details of how the flaw works next week.