It has been revealed that a simple text message could allow a hacker to gain control of an Android smart phone.
According to Zimperium, a mobile security firm that discovered the issue, the flaw is quite dangerous and can be carried out with little to no notification:
Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification.
These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep.
Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
Zimperium says their enterprise level security suite can protect against the vulnerability. They say for non-secured phones an update will have to be pushed out to their phones. With the current fragmentation between handset manufacturers, carriers and even Google, this is likely to take quite a while. Also, as Zimperium points out, older handsets may be passed over for this security fix altogether.