Joshua Drake (@jduck) from Zimperium zLabs has uncovered the mother of all Android vulnerabilities affecting an estimated 95%, or 950 million, of all Android devices. The heart of the problem lies within Stagefright, a media library for playing back various formats.

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

The good news:

Considering severity of the problem, Google acted promptly and applied the patches to internal code branches within 48 hours…

The not so good news:

For the mobile devices without zIPS protection, fixes for these issues require an OTA firmware update for all affected devices. Such updates for Android devices have traditionally taken a long time to reach users. Devices older than 18 months are unlikely to receive an update at all.

If you’re an Android user, now might be a good time to look at updating your firmware.