A bug has existed on the Google Android mobile operating system for over five years that allows remote code execution.
In April, a security researcher named Joshua J. Drake discovered vulnerability in the media handler on Android devices. Stagefright is the name of the handler rather than the vulnerability per se. Drake found that an attacker can craft a special type of media file that, once accessed on a vulnerable Android device, can execute arbitrary code without the device owner being aware of it. Pretty much all Android devices are vulnerable.
MMS is the most likely means of getting this media file to a victim’s device, but simply accessing the file over email or through a mobile web browser would have exactly the same effect.
It’s not quite as bad as it looks though. Mobile operating systems, unlike legacy PC operating systems, have been built with the principle of least privilege in mind. All applications run in different sandboxed environments with just enough system rights to accomplish their respective tasks. Although the Stagefright process responsible for managing media on Android devices cannot by itself gain access to private data on your device, it does have access to your phone’s microphone and camera and would be able to turn that on at will.
It is theoretically possible to combine the Stagefright exploit with a root vulnerability to allow an attacker to break out of the process sandbox and access sensitive data from other applications on your device, but that’s pretty unlikely.
As far as sensitive applications on Android are concerned – your mobile banking app for instance – it’s best to offload your critical security processing to the Trusted Execution Environment (TEE) available on many popular Android-based handsets.