Your mobile number is all it takes for this Android megabug to gain remote code execution privileges on your Android device.

Called the “mother of all Android vulnerabilities,” this bug puts some 950 million Android phones at risk of hacking. No one has exploited the vulnerability and actually hacked someone’s phone — at least, not yet. The security firm that found the bug, Zimperium, shared the information with Google back in April, along with a suggested patch. This means that chances of you getting hacked are pretty slim. But if you are an Android user, the chances that your phone is vulnerable are about 95 percent.

In a blog post on its website, Zimperium said 95 percent of Android devices worldwide are vulnerable. “The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers,” it warned.

Researchers at Zimperium say that attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

FAQs about Stagefright

Where does the name come from?

“Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too.

What does this media library do?

Stagefright—the library, not the bug — helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library.

So, Stagefright is a bug?

Stagefright is a collection of bugs, if you want to be technical. Seven to be exact. If you want to get real technical, their designations are:

CVE-2015-1538,
CVE-2015-1539,
CVE-2015-3824,
CVE-2015-3826,
CVE-2015-3827,
CVE-2015-3828, and
CVE-2015-3829

Why you should care about it?

An attacker can infect your device simply by sending you a malicious MMS message. In fact, a victim doesn’t even have to open the message for the attack to work. Once the message is received, your phone is toast.

Once inside, an attacker can access your phone’s data, photos, camera, microphone.

Is the issue solved?

This bug was reported by Joshua Drake, a researcher at the mobile security company Zimperium zLabs in April. Google patched the bug within two days.

So, I am safe now?

Not exactly. Google’s Android ecosystem relies on its partnering phone-makers to push out software upgrades. That means Samsung, HTC, LG, Lenovo, Motorola, Sony, among others, are responsible for delivering the patches to customers, even companies like Cyanogenmod who create modded ROMs based on Android.

What can you do to be safe?

  • Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.

  • If you can’t get a patch right now, find out when to expect it so that you can apply it as soon as you can.

  • If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.

  • If your device supports it, consider blocking messages from unknown senders if you haven’t already.

  • If your SMS/MMS app doesn’t allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.

Sources: Zimperium, CBS News, Naked Security, Fortune