Joshua Drake, a researcher from Zimperium's zLabs, is about to drop a bombshell at the upcoming Black Hat conference: details of an Android remote code execution exploit that could use a single MMS message to crack as many as 950 million phones, or roughly 95% of all Android handsets, according to statements Drake provided to Forbes. The attack is called Stagefright, named after Android's system-wide media playback component, where the vulnerabilities lie—and which various messaging apps use to display multimedia content. zLabs even goes so far as to call this "the worst Android vulnerability in the mobile OS['s] history."
Depending on the messaging app in question, a victim may not even have to view the booby-trapped MMS. Drake told Forbes that Google's Hangouts allows for a fully silent attack on a vulnerable handset—the exploit triggers before a notification is even issued. In addition, Drake told Forbes that older devices such as the Samsung Galaxy S4 and LG's Optimus Elite run the exploitable process with system-level permissions, which "provides wide access across the phone" with no further effort.
Devices that don't run Stagefright as a privileged process aren't safe, either. Drake also told Forbes that other exploits can be "chained" to this attack to carry out other nefarious activities like privilege escalation, and that the necessary exploits are "fairly easy to come by." Furthermore, while recent versions of Android have system-level exploit mitigation measures like sandboxing, those aren't included in the 100 million devices running OS versions older than 4.1 Jelly Bean. Ironically, phones running Android 2.1 or older are unaffected.
Drake reported six critical vulnerabilities and sent patches to Google on April 9. The company accepted them into Android the following day. On May 4, Drake sent out a second set of reports to Mountain View, which were incorporated into upcoming patches on May 8.
Despite the existence of these patches, Android phone manufacturers release updates slower than snails with lead shells climbing a cliff. As of last month, only 10% or so of phones were running Android 5.0 or above. When Forbes contacted major Android phone manufacturers for comment about their update plans, only HTC replied, and only vaguely. Aside from a couple of exceptions—namely, Google's Nexus 6 and Silent Circle's Blackphone—Drake believes that most manufacturers have not made the Google-issued patches available to customers, and states that "all devices should be assumed to be vulnerable."