Android is the most popular mobile
operating system on Earth: About
80 percent of smartphones run on
it. And, according to mobile
security experts at the firm
Zimperium, there's a gaping hole in
the software — one that would let
hackers break into someone's
phone and take over, just by
knowing the phone's number

Just A Text
In this attack, the target would not
need to goof up — open an
attachment or download a file
that's corrupt. The malicious code
would take over instantly, the
moment you receive a text
message.

"This happens even before the
sound that you've received a
message has even occurred," says
Joshua Drake, security researcher
with Zimperium and co-author of
Android Hacker's Handbook .
"That's what makes it so dangerous.
[It] could be absolutely silent. You
may not even see anything."

Here's how the attack would work:
The bad guy creates a short video,
hides the malware inside it and
texts it to your number. As soon as
it's received by the phone, Drake
says, "it does its initial processing,
which triggers the vulnerability."

The messaging app Hangouts
instantly processes videos, to keep
them ready in the phone's gallery.
That way the user doesn't have to
waste time looking. But, Drake says,
this setup invites the malware right
in.

If you're using the phone's default
messaging app, he explains, it's "a
tiny bit less dangerous." You would
have to view the text message
before it processes the attachment.
But, to be clear, "it does not require
in either case for the targeted user
to have to play back the media at
all," Drake says.

Once the attackers get in, Drake
says, they'd be able do anything —
copy data, delete it, take over your
microphone and camera to monitor
your every word and move. "It's
really up to their imagination what
they do once they get in," he says.

There's A Solution, In Theory
According to Zimperium, this set of
vulnerabilities affects just about
every active Android phone in use.
Drake says he discovered it in his
lab, and he does not believe that
hackers out in the wild are
exploiting it — at least not yet.
In correspondence in April and
May, he shared his findings with
Google, which makes the Android
operating system. He even sent
along patches to fix the bugs.

"Basically, within 48 hours I had an
email telling me that they had
accepted all of the patches I sent
them, which was great," he says.
"You know, that's a very good
feeling."

But it goes away very quickly, he
says, when you look at how long it'll
take his Nexus, my Samsung Galaxy
and your LG or ZTE to get those
patches. Drake says that as few as
20 percent will get fixed, though
the figure may be higher than that,
"potentially up to the optimistic
number of 50 percent."

Android Partnerships Are
Complicated
Just half of affected smartphones is
not a very optimistic estimate. And
Google agrees with it.
The company declined a recorded
interview. But Adrian Ludwig, the
lead engineer for Android security,
told NPR the flaw ranks as "high" in
the team's hierarchy of severity ;
and they've notified partners and
already sent a fix to the
smartphone makers that use
Android.
Whether it gets put into people's
phones is not in Google's hands.
"In this case Google is not the actual
one to blame," says Collin Mulliner,
a senior research scientist at
Northeastern University. "It's
ultimately the manufacturer of
your phone, in combination
possibly with your carrier."
Android phones are very different
from iPhones, for example. Apple
runs a closed system: It controls the
hardware and software, and it's
fairly easy to ship out a major
revamp. The company says 85
percent of iPhone users have the
latest operating system, iOS 8.
According to security firm F-
Secure, 99 percent of mobile
malware threats in the first quarter
of 2014 were designed to run on
Android devices.
Google gives its latest version of
Android to manufacturers, and
they then tweak it as they please.
Carriers like Verizon and T-Mobile
do more tweaking. The blog
Android Central has described the
challenge of updating the operating
system as an "impossible problem ."
Earlier this year, a hole discovered
in the Android Web-browsing app
was left largely unpatched too.
Often, Mulliner says,
manufacturers don't have a
financial incentive to fix phones
already sold.
"If you can save money by not
producing updates, you're not
going to do that," he says. "Since
the market is moving that fast, it
sometimes doesn't make sense for
the manufacturer to provide an
update."
NPR has asked leading phone
makers and wireless service
providers whether they'll fix the
bug. We're waiting for responses
and will post them to this page.

Updated 2:47 p.m. ET July 27:
Companies Respond
Here are the responses we've
received so far from smartphone
manufacturers and wireless
carriers:
Smartphone Manufacturers
HTC: "Google informed HTC of the
issue and provided the necessary
patches, which HTC began rolling
into projects in early July. All
projects going forward contain the
required fix."
Silent Circle ( on Twitter): "We
patched Blackphone weeks ago!"
Wireless Carriers
T-Mobile: "These kinds of security
fixes are usually released by our
third-party device partners, so
we're working with them to ensure
those security updates have been
deployed." Also, the company says,
"You may wish to contact the device
manufacturers directly, as they can
tell you more about their specific
plans for these security update
releases."


http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text

That's why I still trust bb10 and ios..

google has fix iy and send the patch to android manufacturers. so be xpecting updates

Let it be possible to hack Android by playing music...
I would still prefer ANDROID!