About 80 percent of smartphones worldwide run Android, and just about all of those have a major vulnerability in their software, according to experts at Zimperium, a cybersecurity company specializing in mobile devices.
What makes this problem a gaping security hole is that the victims don't even need to be tricked into downloading or opening a bad file - attackers only need to send them a text message for the malware to take hold.
The issue stems from the way Android processes incoming text messages. Media playback software utilized by Android, called Stagefright, processes media files, such as images or video, sent to your device before you even open the message. Hackers can hide malware in those files, getting Stagefright to automatically unleash them onto your phone, thus giving attackers unfettered access to copy and delete data or use the camera, microphone, and GPS to track your every move.
Comment: Stagefright: Everything you need to know about Google's Android megabug
Where does the name come from?
"Stagefright" is the name of the media library—a portion of Android's open source code—in which the bugs were found. It's obviously a great bug name, too.
No lie. What does that media library do?
Stagefright—the library, not the bug—helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library.
"This happens even before the sound that you've received a message has even occurred," Joshua Drake, a security researcher with Zimperium, told NPR. "That's what makes it so dangerous. [It] could be absolutely silent. You may not even see anything."