An estimated 950 million Android devices worldwide are at risk of the Stagefright bug that attacks through text video or picture.
Stagefright is found in the open source code of Google’s Android operating system, Fortune magazine said.
CBS Pittsburgh noted that Android users don’t even have to open the text for the attack to set in. This means it can access your phone without you even knowing it.
Google learned about one set of vulnerabilities in April and another set in May.
Analyst Joshua Drake, of mobile security company Zimperium zLabs, discovered the bug. He told National Public Radio that once the bug is inside, a hacker can steal everything on your phone, CBS Pittsburgh wrote.
Fortune magazine added that the attacker can even delete the bug-carrier message from your device before you even realize that your phone has been compromised.
It said you can assume that your device is vulnerable if it runs on Android version 2.2 or above. The most vulnerable phones predate Jelly Bean (version 4.1), and that accounts for about 11% of Android phones on the market, Fortune magazine added.
Forbes magazine explained that since the bug works by downloading code via MMS, to avoid being infected you must go to your SMS settings either on your phone’s SMS app or through Google Hangouts and disable the auto-download MMS messages option and your phone will not be able to execute the malicious code automatically.
Drake has released patches and Google has also adopted them within two days.
However, although Google has fixed the bug, it will take some time before those fixes actually reach the end users.
Fortune magazine explained this is because Google’s Android ecosystem relies on its partner phone-makers to pass on the patches. That means Samsung, Sony, LG, Motorola, and others are responsible for delivering the patches to customers.