x PhoneArena is hiring! Reviewer in the USA
  • Hidden picShow menu
  • Home
  • News
  • Meet 'Stagefright', the worst Android vulnerability in mobile OS history

Meet 'Stagefright', the worst Android vulnerability in mobile OS history

Posted: , by Mihai A.

Tags :

Meet 'Stagefright', the worst Android vulnerability in mobile OS history
A team of mobile security researchers claims that about 950 million Android smartphones and tablets across the globe are subject to a critical vulnerability. According to their report, attackers can use this vulnerability, nicknamed Stagefright after the source of the issue, to take control of your device through a malicious MMS.

The vulnerability seems to be caused by insecure code contained within Stagefright, which has been Android's multimedia library since Android 2.2 FroYo came out in May 2010. Since Stagefright has been used for so many Android versions, the researchers claim that 95% of all Android devices currently out there manifest this vulnerability, but devices running pre-Jelly Bean versions of Android, or about 15% of active Android devices, are the most vulnerable. The researchers who have discovered the vulnerability claim that 'Stagefright' is "the worst Android vulnerabilities [sic] discovered to date".

According to researchers at Zimperium Mobile Security, attackers can get an Android device to execute code remotely by sending an MMS which the Android system believes to contain a video. In some of the most vulnerable scenarios (devices running pre-Jellybean Android versions), the user doesn't even have to open the MMS for the hack to work, and skilled attackers could also remove the MMS once the damage has been done. 

In other words, you can go to bed one night, and when you wake up, all you'll notice is a notification for an unread multimedia message that has been deleted in the meantime. Without you knowing it, an attacker could have gained access to the cameras, the microphone, and other sensitive data. Fortunately, due to the way Android sandboxes apps, the vulnerability doesn't expose all of your data, but still a lot of damage could come from such an exploit. 

Zimperium did not share all the details regarding Android's Stagefright vulnerability, but the team of researchers promised to discuss the bug in detail at the Black Hat USA conference on August 5 and at DEF CON 23 on August 7. The researchers did leave us with one glimmer of hope, claiming that there's no evidence of the vulnerability being exploited by anyone thus far.

According to Zimperium, Google was quick to come up with a patch for the vulnerability once informed of the vulnerable code's existence. But as it is often the case, Google is left helpless with deploying the patch to vulnerable devices. With the exception of Nexus and Google Play Edition devices, Google is not able to launch patches directly. Device manufacturers and carriers are the ones in charge with rolling out software updates, and experience tells us that some companies can take quite a bit of time to launch patches even for the most significant of vulnerabilities.

Hopefully, Android device manufacturers and carriers will recognize the severity of this vulnerability and will hurry to launch the patch for the new Stagefright bug/hack/exploit.

source: Zimperium via TheVerge

48 Comments
  • Options
    Close





posted on 27 Jul 2015, 12:36 15

1. shaineql (Posts: 421; Member since: 28 Apr 2014)


Bla bla bla , so much viruses yet 5 years straight my devices running flawless.
Use Google Play Store only and you are 100% save from all this bulls**t .

posted on 27 Jul 2015, 12:38 33

2. ericnichols1999 (Posts: 53; Member since: 21 Apr 2014)


I feel like you didn't read the article

posted on 27 Jul 2015, 12:40 4

3. shaineql (Posts: 421; Member since: 28 Apr 2014)


Ya ya, so ded , my phone gone , omg such vaunrability , lel.

posted on 27 Jul 2015, 16:09 5

29. Mxyzptlk (unregistered)


You're English is horrible. Don't be in denial salty one.

posted on 27 Jul 2015, 21:18 9

40. Scott93274 (Posts: 5287; Member since: 06 Aug 2013)


I know you're going to get pissed off at me for this statement, but if you're going to criticize someone for poor English, you should at least know the difference between your & you're. You use both of them in comments 28 and 29 and both are used incorrectly.

posted on 28 Jul 2015, 00:42 3

42. Mxyzptlk (unregistered)


At least you can understand me. I have no clue what he was trying to say

posted on 28 Jul 2015, 07:15 2

43. Scott93274 (Posts: 5287; Member since: 06 Aug 2013)


Alright, I'll have to agree with you there. LOL

posted on 30 Jul 2015, 15:21

46. JunitoNH (Posts: 1931; Member since: 15 Feb 2012)


English is not his first language, for sure.

posted on 06 May 2016, 21:23

48. anglosaxonengland (Posts: 57; Member since: 11 Sep 2013)


He's probably a those hackers who bunked off school.

That'd probably explain his poor language skills, and denial.

posted on 28 Jul 2015, 09:41

44. dariansdad (Posts: 1; Member since: 28 Jul 2015)


Yes, because I'm smarter than you're.

posted on 27 Jul 2015, 23:12 1

41. engineer-1701d (unregistered)


who the hell has pre jelly bean i mean if they do please crash them so they can get a new phone

posted on 27 Jul 2015, 12:42 9

4. Plutonium239 (Posts: 1079; Member since: 17 Mar 2015)


Apps from the google playstore contain malware, and besides that, this is exploited via MMS.

posted on 27 Jul 2015, 19:47 2

36. legiloca (Posts: 1446; Member since: 11 Nov 2014)


hey you, read the whole article 1st before making such bs

posted on 27 Jul 2015, 20:59 3

39. srirachacha (Posts: 21; Member since: 06 Mar 2015)


I feel like you should read what you replied to again..

posted on 30 Jul 2015, 15:22

47. JunitoNH (Posts: 1931; Member since: 15 Feb 2012)


I don't think "muchacho" read the article.

posted on 27 Jul 2015, 12:45 4

7. TezzaBP (Posts: 274; Member since: 18 May 2015)


Yeah quit your bulls**t and actually read the damn article before commenting

posted on 27 Jul 2015, 12:58 2

12. jellmoo (Posts: 1958; Member since: 31 Oct 2011)


Whew, I was worried for a second, but your anecdotal evidence of a single user being malware free for 5 years has convinced me that my device is immune to attack.

posted on 27 Jul 2015, 13:07 1

14. Plutonium239 (Posts: 1079; Member since: 17 Mar 2015)


He may be infected with malware without knowing it. He is already infected with Google's adware/spyware. :)

posted on 27 Jul 2015, 13:23 14

17. ihavenoname (Posts: 1693; Member since: 18 Aug 2013)


And you think that Apple/Microsoft don't spy their users?

posted on 27 Jul 2015, 13:51

20. Scott93274 (Posts: 5287; Member since: 06 Aug 2013)


They think smart devices are effective without knowing a damn thing about the person using it. They're foolish.

posted on 27 Jul 2015, 20:28 2

37. joey_sfb (Posts: 6507; Member since: 29 Mar 2012)


So many Troll accounts being made to satisfy one insecurity.

posted on 27 Jul 2015, 16:08

28. Mxyzptlk (unregistered)


Bla bla bla your in denial.

posted on 27 Jul 2015, 12:43 9

5. Scott93274 (Posts: 5287; Member since: 06 Aug 2013)


Well, Google already has a fix for it, the problem is getting carriers to push it out... I'm on Verizon, I guess I'm screwed. At least I don't use Hangouts.



Alright, I dislike iOS and I love Android, and even I have to say that Apple beats Google hands down in situations like pushing out updates... It's just unfortunate that Apple's updates usually are riddled with flaws/bugs.

posted on 27 Jul 2015, 12:48 3

8. Niva. (Posts: 433; Member since: 05 Jan 2015)


This is why if you have/buy a non-nexus phone you are comitting a sin.

posted on 27 Jul 2015, 13:52 1

21. Scott93274 (Posts: 5287; Member since: 06 Aug 2013)


Well, Carriers can still hold up patches. I had a Galaxy Nexus and Verizon was a thorn in Google's side when it came to providing updates to that phone.... despite it being a Nexus device.

posted on 27 Jul 2015, 12:43 5

6. Plutonium239 (Posts: 1079; Member since: 17 Mar 2015)


I am glad I don't use Android. It is not as secure as Windows Phone. And I am not at the mercy of my carrier to get updates, Microsoft provides an easy way around this with the preview for developers app.

posted on 27 Jul 2015, 13:48 18

19. lyndon420 (Posts: 4923; Member since: 11 Jul 2012)


Never heard someone say that WP was secure before. Is this due to the extremely small user base? It's my understanding that hackers will target platforms with a solid user base before even justifying the creation of malware.

posted on 27 Jul 2015, 19:09

33. elitewolverine (Posts: 5192; Member since: 28 Oct 2013)


About the same user base that the OSX desktop shared yet still had malware written for it.

Percentages be damned, we just know as of right now there is not a security vulnerability that is aimed at windows phone and each year it isn't broken in the hacking challenge.

http://www.techoven.com/2014/11/windows-phone-the-only-os-to-survive-pwn2own-hacking-challenge-2847

posted on 27 Jul 2015, 20:42 1

38. joey_sfb (Posts: 6507; Member since: 29 Mar 2012)


Windows are never known their strong security. Do you know how many security apps I need to install to make it acceptable.

First is an antivirus - bitfender
Second Malware scanner - Malwarebytes
Third is a Firewall - Windows 10 firewall controls.
Finally - encrypt the HDD.

For me popular OS are always targeted regardless whether it's Windows or Android.

It's user responsible to ensure their device is secure.

posted on 27 Jul 2015, 12:48 6

9. RoboticEngi (Posts: 1032; Member since: 03 Dec 2014)


Click bait........ They all have been the worst malware/virus/exploit/vulnability. And yet I really haven't been reading of millions or at least hundreds of thousands of androidusers loosing money, data etc......If all these "bad" was e real threat, why aren't we hearing about all the infected users loosing money/personal data? I mean there is over 1 billion users, where are all the ones infected ? Why don't we ever hear from them?

Want to comment? Please login or register.

Latest stories