It may be time for Android users to make the dreaded switch to iPhone.
Mobile security experts are in a panic this morning after researchers at Zimperium zLabs found six critical vulnerabilities in 95 percent of Android phones. Worse yet, it may already be too late for the 950 million mobile users affected, because none of the major wireless carriers have made fixes available to their customers.
The attack is being carried out by a simple multimedia text, with an attached video message. The message’s code is so viral that it can infect phones even if the user doesn’t open the text or watch the video—the virus triggers immediately, so the code could do its work and delete itself before the user even knew there was a problem. The only information the remote code execution bug needs to infiltrate the device is the affiliated mobile phone number.
It’s believed that the virus originated in Stagefright, Android’s media playback tool. Multimedia messages (MMS) sent through Stagefright can write code and steal data from the device. These MMS texts can also record audio and video and hack Bluetooth. Some phones, like the Samsung Galaxy S4, even grant system-level privileges, allowing access to all phone software.
It’s believed that Google has found a possible solution, but the search giant isn’t talking. There’s nothing it can directly do anyway: Google cannot send the update to users by itself—manufacturers and carriers must send out the patch themselves.
Anyone who hasn’t updated their phone since 2010 may be in luck: Androids below version 2.2 are not affected. Since the latest update was version 5.1, however, relatively few users are out of the woods.
UPDATE: The Observer received the following statement from T-Mobile’s corporate communications department:
“We received notice from Google about the Stagefright vulnerability, but have identified no issues relating to it at this time. These kinds of security fixes are usually released by our third-party device partners, so we’re working with them to ensure those security updates have been deployed.”