Update August 13: Phone makers and cellular carriers are beginning to roll out updates to fix this vulnerability; see step-by-step instructions for checking for and installing updates.
Last week, Austin hacker / researcher Joshua Drake disclosed a fairly significant flaw in all versions of Android, whereby a malicious multimedia message (aka a video text) could take control of the phone. This is a hacker's dream in that it does not require the victim to do anything. Simply receiving a message can trigger the flaw, because most messaging apps will automatically download the message and have it ready to display. This is very similar to the "text of death" that affected iPhone users a couple of months ago, but with the potential to actually take control of devices rather than merely crash them.
Tonight he is presenting his findings at BlackHat, a major security conference in Las Vegas. He will release details of his findings, including proof of concept code demonstrating the flaw, at the end of his talk. With the demonstration code, any software developer could reproduce his research.
[ Update: shorty after posting this, the research and proof of concept code were published to Zimperium's blog ]
If the name Joshua Drake sounds familiar, it's because I have written of his work before. Known among the hacker community as "jduck," Joshua found a flaw in ASUS wireless routers that would let anyone with access to your local network take control of the router. Shortly after he published that work, I wrote a post with a temporary solution until ASUS released a firmware fix.
Fixing the root vulnerability is in the hands of your cell phone manufacturer and your cellular carrier. Google has already fixed its own Nexus devices. Samsung has announced plans to begin monthly security updates, as has LG. Other manufacturers are sure to follow at varying paces.
According to Joshua, the flaw can be exploited though a variety of methods including multimedia messaging, email, Bluetooth, USB, and a web browser. Most of those methods either require the victim to do something (click a link, open an email). Messaging is the exception.
While you wait for your phone maker and cellular carrier to provide a permanent fix, there is something you can do to reduce the risk: by default your messaging app likely downloads multimedia messages automatically so they are immediately ready when you open the app. You can change that behavior. You will still get notifications of new messages, and plain text messages will show up without any additional effort, but media messages will then require that you click to download the message.
Messenger (native Android app)
Step 1: launch your messaging app and open the "Settings" menu.
Step 2: select the "Multimedia messages" option from the settings menu (for Android versions prior to 5.0, you can skip this step - the menu option from step 3 is actually in this menu).
Step 3: Uncheck "Auto retrieve."
This will not block every possible way this flaw can be exploited, but it blocks the most likely (and most dangerous) method.
Google Hangouts
If you use Hangouts, the same thing applies.
Step 1: open the Settings menu in Hangouts
Step 2: Click into the SMS sub-menu
Step 3: Uncheck Auto retrieve MMS
