Android phones can be hacked with a text, security firm says

Last Updated Jul 28, 2015 6:52 AM EDT

A security research company has found what it's calling "the mother of all Android vulnerabilities" - a flaw in the popular mobile operating system that could give hackers access to millions of users' personal data.

The flaw was uncovered by the security firm Zimperium, which says it exists in the media playback tool built into Android called Stagefright. As CNET explains, malicious hackers could take advantage of it by sending a text message containing malware to an Android device; once received by the smartphone, it would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information.

"What they figured out how to do," CNET's Dan Ackerman told CBS News, "is send you a text message that includes a video file in it. Because very often you can get a text that has a photo or video in it. And in the code for that video file is a string of malicious code that will then activate. And the catch is, you don't have to actually watch the video. Just receiving it is enough to give people, potentially, access to your Android phone."

In a blog post on its website, Zimperium said 95 percent of Android devices worldwide are vulnerable. "The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers," it warned.

But the company told National Public Radio that so far, the flaw has not been exploited by hackers. "That's the good news," Ackerman said.

The company also said it informed Google - the company behind Android - when it first discovered the vulnerability in April and supplied patches that would fix the problem.

In an updated statement provided to CBS News on Tuesday, a Google spokesperson said: "This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users."

The company also noted that it offers rewards programs to encourage security researchers to report any flaws they find and help make the system more secure. Google thanked Zimperium researcher Joshua Drake for his contribution - identifying and reporting the Stagefright vulernability.

But even with a security patch available, many users could still be at risk. Drake told NPR that he estimates only about 20 percent to 50 percent of Android devices currently in consumers' hands will actually get the updates due to vendors being slow to react - if they react at all.

The number of phones potentially affected could be huge. Android is expected to hold more than 79 percent of the global smartphone market share this year, with more than 1.1 billion devices shipping in 2015, according to a report by the industry analyst IDC.

You can read more about the so-called Stagefright vulnerability on our partner site, CNET.com.