STEVE INSKEEP, HOST:
Android is the most popular mobile operating system on Earth. Nearly 80 percent of smartphones run on Android. Turns out there's a gaping hole in the software - a hole that would let hackers break into somebody's phone and take over just by knowing the phone number. That at least is according to mobile security experts at the San Francisco-based firm Zimperium. NPR's Aarti Shahani reports.
AARTI SHAHANI, BYLINE: In this attack, the target would not need to goof up - open an attachment or download a file that's corrupt. The malicious code would take over instantly the moment you receive a text message.
JOSHUA DRAKE: This happens even before the sound that you received a message has even occurred.
SHAHANI: Joshua Drake, security researcher with Zimperium.
DRAKE: Could be absolutely silent, you may not even see anything.
SHAHANI: Here's how it would work. The bad guy creates a short video, hides the malware inside it and texts it to you.
DRAKE: As soon as it's received by the phone, it does its initial processing, which triggers the vulnerability.
SHAHANI: The messaging app Hangouts instantly processes videos, keeps them ready in your gallery so you don't have to waste time looking. But the setup invites the malware right in. If you're using the default messaging app, Drake says, it's a tiny bit less dangerous. You would have to view the text message before it processes the attachments. But to be clear...
DRAKE: It does not require - in either case - for the targeted user to have to play back the media at all.
SHAHANI: And once the attackers get in, Drake says, they'd be able to do anything - copy data, delete it, take over your microphone and camera to monitor your every word and move.
DRAKE: It's really up to their imagination what they do once they get in.
SHAHANI: Drake says this set of vulnerabilities affects just about every Android phone currently in use. He discovered it in his lab, and he does not believe that hackers out in the wild are exploiting it - at least not yet. In April, Drake shared his findings with Google which makes the Android operating system, and he even sent along patches to fix the bugs.
DRAKE: Basically within 48 hours, I had an e-mail telling me that they had accepted all of the patches I sent them - which was great. You know, that's a very good feeling.
SHAHANI: But it goes away very quickly, he says, when you look at how long it'll take his Nexus, my Samsung Galaxy, your LG or ZTE to get those patches. Drake says that as few as 20 percent will get fixed.
DRAKE: The number will probably be higher than that - potentially up to the optimistic number of 50 percent.
SHAHANI: Just half of affected smartphones is not a very optimistic estimate, and Google agrees with it. The company declined to record an interview, but Adrian Ludwig, the lead engineer for Android security, told NPR the flaw ranks as high in their hierarchy of severity. They've notified partners and already sent a fix to the smartphone makers who use Android. Whether it gets put into people's phones, that's not in Google's hands.
COLLIN MULLINER: In this case, Google is not the actual one to blame.
SHAHANI: Collin Mulliner is a senior research scientist at Northeastern University.
MULLINER: Ultimately, the manufacturer of your phone in combination possibly with your carrier.
SHAHANI: Android phones are very different from iPhones, for example. Apple runs a closed system. It controls the hardware and software, and it's fairly easy to ship out a major revamp. Google gives its latest version of Android to manufacturers who then tweak it as they please. Carriers like Verizon and T-Mobile do more tweaking and often, Mulliner says, they don't have a financial incentive to fix phones already sold.
MULLINER: If you can save money by not producing updates, you're not going to do that. And since the market is moving that fast, it sometimes doesn't make sense for manufacturers to provide an update.
SHAHANI: NPR has asked leading phone makers and wireless service providers if they'll fix the bug. We're waiting for responses and will post them online at npr.org/alltech. Aarti Shahani, NPR News, San Francisco.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.