Android Bug: 950 Million Smartphones Open to Espionage, Says Security Expert

Nearly a billion Android phones could be exposed to a critical security flaw, which would enable governments and sophisticated criminals to spy on users and collect personal data.

Researcher Josh Drake, of mobile security firm Zimperium, discovered the vulnerability in April, which was reported to Google, Android's developer. Drake said that the flaw could affect up to 95% of Android devices —an estimated 950 million smartphones.

The flaw, known as the Stagefright vulnerability, means that hackers can gain access to a smartphone user's photos, contacts and other personal information simply by sending them a text message with a photo or video attached. All hackers need to expose the flaw is a target's phone number, according to Drake. By sending them a malware media file, via Multimedia Messaging Service (MMS), hackers can take over the device and even delete the message before the recipient sees it. The recipient doesn't even need to open the message for the hack to take place.

Chris Wysopal, chief technology officer at mobile security firm Veracode, says that the flaw opens up millions of users to becoming victims of espionage, and could be used by organizations including the National Security Agency (NSA) and other nation-states to gather information on suspects of terrorism and other high-profile crimes.

"It's sort of the perfect thing for those agencies. They want to spy on their targets, they want to understand them and get at their communication and their contact list," says Wysopal. "It'll be interesting to see if criminal organizations...use it to steal PII [Personally Identifiable Information] and other data they can monetize."

According to Statista, the Android operating system was installed in around 1.6 billion smartphones as of 2014—an estimated 75 percent of all smartphones worldwide. The latest data put Android's smartphone market share at around 79 percent.

Drake's research found that the exploit affects all Android systems since version 2.2, launched in 2010. Older devices running operating systems prior to Android's Jelly Bean system —equivalent to about 11 percent of devices —are at the most risk.

"If 'Heartbleed' from the PC era sends [a] chill down your spine, this is much worse," wrote Drake on the Zimperium blog, referring to another vulnerability which resulted in the theft of personal data of around 4.5 million healthcare patients in the U.S., as well as other attacks including on the Canadian tax authority.

Drake wrote that Google reacted promptly to being notified of the problem, issuing patches within 48 hours. In a statement, a Google spokesperson said that the vulnerability had been identified on earlier versions of Android in a laboratory setting, and that Google had sent a fix to its partners after being notified of the weakness. The spokesperson added that further updates would be issued for Google's Nexus phones starting next week.