You may recall the stories in April 2014 about Heartbleed, a major flaw in website software that put thousands of websites at risk of attack from hackers. The latest worry for security experts and consumers is being called “Heartbleed for mobile,” and it involves the most popular mobile operating system on the planet, Android. Nearly one billion phones could be hit by what’s being called the Stagefright exploit, and all it would take to infect your Android phone would be a text with video sent your way. How could supposedly tech-savvy companies miss something like this, and what’s being done about it?

GPB sci-tech correspondent Renay San Miguel joins Bradley George to talk about Stagefright.

· This particular hack seems especially scary, because it doesn’t really involve the consumer having to do anything, like open a strange attachment or click on a link. How does it work?

Stagefright refers to the media playback feature in Android phones, and it cuts down on the time it takes for your phone to process media. All a hacker really needs in this case is your mobile phone number. The hacker sticks the malware in a video that’s part of a text message and sends it to you. If you’re using Google’s Hangout messaging app, it really speeds up the media processing, so the hack takes place immediately before you even know it’s arrived on your phone. Even if you’re using the default Android messaging app that came with your phone, if you view that text, you’re hacked. That means a bad guy could steal data like credit card numbers from your phone, wipe the data off of it remotely, activate the camera and microphone to spy on you. I can’t think of a more insidious hack involving mobile devices.

· It’s my understanding that Google, which makes Android, has known about this since April, so you would think it would have patches ready to go, but it’s not quiet that simple.

April was when a researcher with a security company, Zimperium, discovered the Stagefright flaw. He told Google about it, and then gave the company three months to fix things before he would start talking about what he discovered. So Google has patches ready and sent out to all the vendors that makes Android phones, but here’s where things get tricky. Unlike Apple which makes the hardware and software for all its phones and can easily fix security flaws, Google has to rely on the speed of its hardware partners, like HTC, LG, Motorola, etc., in addition to working with its network operators like Verizon and AT&T, to get the patches to the 950 million Android phones that are believed to be susceptible to this hack. Also, the Stagefright flaw could affect versions of Android that have been around for five years, so unlike newer Android phones that get automatic patches, some of those older phones may never get fixed.

· Android is supposed to be the open source operating system, meaning all of Google’s mobile partners get to tweak it and make it their own. How could all those eyes and all those experts miss something like this?

The myth about Android, espoused especially by fans of Apple iOS and Windows Phone, is that open source equals leaky operating systems that don’t value security. There are security protocols and platforms in place for Android, but as it states on the Android Open Source Project website, the controls are designed to minimize damage from social engineering hacks, where a hacker tries to fool you into doing something you shouldn’t, and attacks on third party companies working with Android. This flaw is within the software itself, and as Microsoft long ago discovered, the more features and cool things you enable in your software for customers, the more potential you create for back doors where a hacker can sneak inside and do some damage. Android is a very cool operating system that allows for a lot of user customization, but the sheer number of players means you’re herding a lot of cats to keep things safe and secure.

· You just spent some time working on a story about mobile security for the national SciTech Now show on PBS. What did you learn and how does Stagefright fit in?

We spoke with a local company, Pindrop Security, that has a solution for phone fraud, which not only involves landline phones but also mobile devices, and they’re seeing a rise in such fraud cases. We spoke with them and with experts from Georgia Tech who mention that while mobile devices have some inherent advantages over desktops when it comes to security – no hard drive to hack, a GPS feature for tracking and apps that can cordon off important data from other more leaky apps – there’s still the third-party situation to deal with. Also, in the first quarter of this year, more people shopped from their mobile devices than from their desktops, and we’re expecting one billion mobile banking customers worldwide by 2017. So that’s what’s at stake – a more mobile society, and of course, hackers are taking the Willie Sutton approach to this – they go where the money is.

Follow GPB's Renay San Miguel on Twitter for the latest on science and tech in Georgia and beyond.

Tags: sci-tech-now georgia, android, Stagefright