The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher has found.\nThe scary exploit, which only requires knowing the victim\u2019s phone number, was developed by Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium.\nDrake found multiple vulnerabilities in a core Android component called Stagefright that\u2019s used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.\nThere are many potential attack vectors because whenever the Android OS receives media content from any source it will run it through this framework, Drake said.\nThe library is not used just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information.\nThis means that users don\u2019t necessarily have to execute malicious multimedia files in order for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.\nThe researcher isn\u2019t sure how many applications rely on Stagefright, but he believes that just about any app that handles media files on Android uses the component in one way or another.\nThe MMS attack vector is the scariest of all because it doesn\u2019t require any interaction from the user; the phone just needs to receive a malicious message.\nFor example, the attacker could send the malicious MMS when the victim is sleeping and the phone\u2019s ringer is silenced, Drake said. After exploitation the message can be deleted, so the victim will never even know that his phone was hacked, he said.\nThe researcher didn\u2019t just find the vulnerabilities, but actually created the necessary patches and shared them with Google in April and early May. The company took the issues very seriously and applied the patches to its internal Android code base within 48 hours, he said.\nThat code gets shared in advance with device manufacturers that are in the Android partnership program, before it\u2019s released publicly as part of the Android Open Source Project (AOSP).\nUnfortunately, due to the generally slow pace of Android updates, over 95 percent of Android devices are still affected, Drake estimates.\nEven among Google\u2019s Nexus line of devices, which typically get patches faster than those from other manufacturers, only the Nexus 6 has received some of the fixes so far, the researcher said.\nAndroid patches can take months to reach end-user devices through over-the-air updates. That\u2019s because manufacturers have to first pull Google\u2019s code into their own repositories, build new firmware versions for each of their devices, test them and then work with mobile carriers to distribute the updates. Devices older than 18 months generally stop receiving updates entirely, leaving them vulnerable to newly discovered issues indefinitely.\nThe vulnerabilities found by Drake affect devices running Android versions 2.2 and higher, which means that there are a huge number of devices that will probably never receive patches for them.\nThe researcher estimates that only around 20 to 50 percent of the Android devices that are in use today will end up getting patches for the issues he found. He noted that 50 percent is wishful thinking and that he would be amazed if that happened.\nIn an emailed statement, Google thanked Drake for his contribution and confirmed that patches have been provided to partners.\n\u201cMost Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,\u201d the company said. \u201cAndroid devices also include an application sandbox designed to protect user data and other applications on the device.\u201d\nWhat attackers can do after they exploit the vulnerabilities found by Drake can vary from device to device. Their malicious code will be executed with the privileges of the Stagefright framework, which on some devices are higher than on others. In general the attackers will get access to the microphone, camera and the external storage partition, but won\u2019t be able to install applications or access their internal data.\nThat said, Drake estimates that on around 50 percent of the affected devices the framework runs with system privileges, making it easy to gain root access and therefore complete control of the device. On the rest of devices, attackers would need a separate privilege escalation vulnerability to gain full access.\nSince the patches for these flaws are not yet in AOSP, device manufacturers that are not Google partners don\u2019t have access to them. It also means that third-party AOSP-based firmware like CyanogenMod is still likely vulnerable.\nDrake shared the patches privately with some other affected parties, including Silent Circle and Mozilla.\nSilent Circle included the fixes in version 1.1.7 of PrivatOS, the Android-based firmware it developed for its Blackphone privacy-focused device.\nMozilla Firefox for Android, Windows and Mac, as well as Firefox OS were affected by the flaws because they used a forked version of Stagefright. Mozilla fixed the issues in Firefox 38, released in May.\nDrake plans to present more details about the vulnerabilities along with proof-of-concept exploit code at the Black Hat Security conference on Aug. 5.