"If you ever heard about the 'Heartbleed,' this is much worse," explains Android researcher Joshua Drake on the Zimperium blog, via Forbes. Six serious flaws have left 95% of Android phones vulnerable to data-stealing attacks that, in some cases, can be delivered via "silent" text messages. "All devices should be assumed to be vulnerable," Drake says, estimating 950 million Android phones are at risk (he says the only safe ones are those below version 2.2). At fault is a media playback tool called Stagefright, which despite its name, contains aggressive "remote code execution" bugs that let hackers pull out info accessible by Stagefright—meaning they can ostensibly record audio and video, look through photos, and break into Bluetooth, per Forbes. "Make no mistake about it: This is a bad exploit," Android Central notes.
One of the more sneaky aspects of the attacks: If a user opens the exploit code somewhere like Google Hangouts, it triggers "immediately before you even look at your phone … before you even get the notification," Drake says, and the text message can be deleted before the user opens it, meaning they'd be unaware the attack even took place. Zimperium alerted Google about the vulnerabilities in April, and offered patches, which Google agreed to, per Android Central. But it's not clear if Google has actually implemented the fix into its Nexus phones, or if manufacturers such as Samsung, HTC, and Motorola have sent patches to their customers. Google, for its part, tells Android Central it owes Drake thanks "for his contributions" and that "most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult."