After 100+ Days, Google Admits Huge Security Flaw in Android Phones

Google's lead designer for 'Inbox by Gmail' Jason Cornwell shows the app's functionalities on a nexus 6 android phone during a media preview in New York on October 29, 2014. Google ramped up its mobile arsenal, upgrading its Nexus line with a new tablet and smartphone, and unveiling its revamped …
Jewel Samad/AFP/Getty Images

More than 100 days after it was reported, Google has finally admitted to a massive security flaw in the Android cell phone operating system – i.e. the one you’re using, if you don’t have an iPhone.

It’s been compared to the huge “Heartbleed” bug that panicked the Internet last year. It could prove to be an even worse problem than Heartbleed was, because while devising and distributing fixes for that problem was hardly an easy task, it wasn’t as difficult as updating the operating system on some 950 million cell phones from various providers.

Considering the magnitude of the problem, media coverage has been rather muted. “Android phones can get infected by merely receiving a picture via text message,” reported CNN Money on Tuesday. “This is likely the biggest smartphone flaw ever discovered.”

When they say “infected,” they don’t just mean “crashed,” the way Apple’s text-message problem could be used by mischief-makers to force iPhones to reboot.

The Droid flaw allows hackers to take complete control of the targeted cell phone, “wiping the device, accessing apps, or secretly turning on the camera,” according to CNN. That level of control would certainly seem to imply that raiding the data on the phone, using the owner’s identity to spread malware to his contacts, or using the phone as a crowbar to penetrate networks it connects to, could also be on the menu.

According to a report from cyber-security company Zimperium, the security flaw they discovered – which they have nicknamed “Stagefright” – lurks in the media library of Droid phones, potentially triggered by any media file the phone attempts to process. You might never even know the attack occurred. Zimperium warns:

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

For the record, they went on to second the notion that StageFright is “much worse” than Heartbleed was, warning that phones running the oldest Droid revision to include the security flaw (version 2.2) are the most vulnerable to exploit, and the hardest to correct with patches. Conversely, phones running Droid version 4.0 or higher may be protected from infection by other security improvements that were introduced into the operating system.

Zimperium credits Google with promptly acknowledging their warning about the StageFright flaw, but the story related by CNN Money is a bit more complicated:

Zimperium said it warned Google about the flaw on April 9 and even provided a fix. The company claims Google responded the very next day, assuring a patch would be shared with customers in the future.

Typically, in these situations, companies are given a 90-day grace period to issue a fix. It’s a rule even Google abides by when it finds flaws in others’ software.

But it’s been 109 days, and a fix still isn’t largely available. That’s why Zimperium is now going public with the news.

The issue now is how quickly Google will manage to fix this for everybody. While Apple can push out updates to all iPhones, Google can’t.

Google is notorious for having a fractured distribution system. Several entities stand in between Google and its users, and they routinely slow down the release of new software. There are phone carriers — like AT&T (T, Tech30) and Verizon (VZ, Tech30) — and makers of physical devices — like Samsung (SSNLF) — all of which need to work together to issue software updates.

Google told CNNMoney it already sent a fix to its “partners.” However, it’s unclear if any of them have started pushing that out to users themselves.

Another cybersecurity expert quoted by CNN, Chris Wysopal of Veracode, joined in describing StageFright as the mobile-phone answer to HeartBleed, and offered the ominous opinion that if Google can’t figure out a way to push updates to all the affected phones soon, “we have a big disaster on our hands.”

As Fortune observes, the StageFright bug was discovered in April and announced in July, but it’s actually existed for five years, ever since the first flawed version of the Android OS was released. One of the things that mitigated the damage from Heartbleed was that it took a while for hackers to find it, giving the white hats a little time to distribute software updates.  Blurting out the existence of something like StageFright the instant security experts discovered it could have dramatically increased the risk of hackers exploiting the bug, while Google could only immediately address a small percentage of Droid devices with speedy software fixes.

However, as with Heartbleed, some users will be upset they weren’t given timely warnings about such a potentially serious problem, especially those who keep sensitive information on their phones, or bring the phones into sensitive areas.