Researchers have discovered an easier way for hackers to get into your Android phone. What makes this scary is that they don’t need you to install any applications whatsoever. Just by a simple message, they’re in. Researchers at the Zimperium Mobile Labs reported yesterday and have since alerted the Google security team.
“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”
The diagram below explains simply how it works.
source: Zimperium
First a malicious message (video messaging) and then it defies Android’s sandboxing security. The code runs and like that they have access to your device. Also worthy of note is that you are likely not to discover this as the hacker can remotely delete the message once they’re in.
One important part to note is that up to 95% of Android devices are vulnerable.