CNN reports that Android phones can get infected by merely receiving a picture via text message, according to research published Monday. It affects an estimated 950 million phones worldwide — about 95% of the Androids in use today.

Similar to the Apple text hack, Android phones analyse incoming text message even before you open it. The phone does automatically processes incoming media files – videos, audio, images. According to Zimperium, a cybersecurity company that specializes in mobile devices, a hacker can make use of this flaw and he can take over your phone Android wiping the device, accessing apps or secretly turning on the camera.

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake (@jduck), dived into the deepest corners of Android code and discovered what we believe to be the worst Android vulnerabilities discovered to date. These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

These screenshots were taken on a Nexus 5 (hammerhead) running the latest version, Android Lollipop 5.1.1.

Mobile Security

Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations. If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse.

The Stagefright vulnerability was assigned with the following CVEs:

CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
In this unique scenario, Zimperium not only reported the vulnerability to the Google teams, but also submitted patches. Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.

– See more at: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/#sthash.vAsIBrtj.dpuf