A billion Android users could be vulnerable to hacking

Android, the most widely used cellphone operating software, is vulnerable to hacking through text messages. No one seems to be exploiting the vulnerability yet, but 950 million handsets could be at risk.

The flaw, somewhat like one that recently exploited the iPhone’s IOS operating system, allows a text message containing a malware-infected media attachment to take over an Android phone. And in some cases a user wouldn’t even have to open the text or view the attachment, because of the way Android automatically processes incoming texts.

What can users do about it at this point? Unfortunately, not much. Joshua Drake, the lead researcher at security firm Zimperium, where the flaw was discovered in April, says Google was notified, quickly acknowledged the flaw, and said it would be fixed.

That was easy to say — Zimperium also sent along a patch to close the vulnerability — but difficult to execute. Apple can push out updates to all iPhones, but Google cannot. It has to rely on phone manufacturers such as Samsung, HTC and LG, and wireless carriers to push out the patch to users.

When such flaws are found, hackers usually give companies 90 days to fix the problem before going public. But Drake said Monday was day 109 since it gave Google notice, and Zimperium thought phone makers and carriers had not all rolled out the fix, so it went public with the flaw.

Android versions from the last five years are vulnerable, according to Zimperium, which would include versions named Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat and Lollipop.

Stay tuned for reaction from manufacturers and wireless carriers on how and when they will — or, let’s hope, already have — distributed the patch.

This story was originally published July 28, 2015 at 8:30 AM with the headline "A billion Android users could be vulnerable to hacking."