Android

Meet 'Stagefright', the worst Android vulnerability in mobile OS history

Mihai A. posted by Mihai A.   /  Jul 27, 2015, 12:35 PM
Meet 'Stagefright', the worst Android vulnerability in mobile OS history
A team of mobile security researchers claims that about 950 million Android smartphones and tablets across the globe are subject to a critical vulnerability. According to their report, attackers can use this vulnerability, nicknamed Stagefright after the source of the issue, to take control of your device through a malicious MMS.

The vulnerability seems to be caused by insecure code contained within Stagefright, which has been Android's multimedia library since Android 2.2 FroYo came out in May 2010. Since Stagefright has been used for so many Android versions, the researchers claim that 95% of all Android devices currently out there manifest this vulnerability, but devices running pre-Jelly Bean versions of Android, or about 15% of active Android devices, are the most vulnerable. The researchers who have discovered the vulnerability claim that 'Stagefright' is "the worst Android vulnerabilities [sic] discovered to date".

According to researchers at Zimperium Mobile Security, attackers can get an Android device to execute code remotely by sending an MMS which the Android system believes to contain a video. In some of the most vulnerable scenarios (devices running pre-Jellybean Android versions), the user doesn't even have to open the MMS for the hack to work, and skilled attackers could also remove the MMS once the damage has been done. 

In other words, you can go to bed one night, and when you wake up, all you'll notice is a notification for an unread multimedia message that has been deleted in the meantime. Without you knowing it, an attacker could have gained access to the cameras, the microphone, and other sensitive data. Fortunately, due to the way Android sandboxes apps, the vulnerability doesn't expose all of your data, but still a lot of damage could come from such an exploit. 

Zimperium did not share all the details regarding Android's Stagefright vulnerability, but the team of researchers promised to discuss the bug in detail at the Black Hat USA conference on August 5 and at DEF CON 23 on August 7. The researchers did leave us with one glimmer of hope, claiming that there's no evidence of the vulnerability being exploited by anyone thus far.

According to Zimperium, Google was quick to come up with a patch for the vulnerability once informed of the vulnerable code's existence. But as it is often the case, Google is left helpless with deploying the patch to vulnerable devices. With the exception of Nexus and Google Play Edition devices, Google is not able to launch patches directly. Device manufacturers and carriers are the ones in charge with rolling out software updates, and experience tells us that some companies can take quite a bit of time to launch patches even for the most significant of vulnerabilities.

Hopefully, Android device manufacturers and carriers will recognize the severity of this vulnerability and will hurry to launch the patch for the new Stagefright bug/hack/exploit.

source: Zimperium via TheVerge

FEATURED VIDEO

Options

46 Comments

shaineql
Reply

1. shaineql

Posts: 522; Member since: Apr 28, 2014

Bla bla bla , so much viruses yet 5 years straight my devices running flawless. Use Google Play Store only and you are 100% save from all this bulls**t .

posted on Jul 27, 2015, 12:36 PM

ericnichols1999
Reply

2. ericnichols1999

Posts: 53; Member since: Apr 21, 2014

I feel like you didn't read the article

posted on Jul 27, 2015, 12:38 PM

shaineql
Reply

3. shaineql

Posts: 522; Member since: Apr 28, 2014

Ya ya, so ded , my phone gone , omg such vaunrability , lel.

posted on Jul 27, 2015, 12:40 PM

Mxyzptlk unregistered
Reply

29. Mxyzptlk unregistered

You're English is horrible. Don't be in denial salty one.

posted on Jul 27, 2015, 4:09 PM

Scott93274
Reply

40. Scott93274

Posts: 6030; Member since: Aug 06, 2013

I know you're going to get pissed off at me for this statement, but if you're going to criticize someone for poor English, you should at least know the difference between your & you're. You use both of them in comments 28 and 29 and both are used incorrectly.

posted on Jul 27, 2015, 9:18 PM

Mxyzptlk unregistered
Reply

42. Mxyzptlk unregistered

At least you can understand me. I have no clue what he was trying to say

posted on Jul 28, 2015, 12:42 AM

Scott93274
Reply

43. Scott93274

Posts: 6030; Member since: Aug 06, 2013

Alright, I'll have to agree with you there. LOL

posted on Jul 28, 2015, 7:15 AM

JunitoNH
Reply

46. JunitoNH

Posts: 1946; Member since: Feb 15, 2012

English is not his first language, for sure.

posted on Jul 30, 2015, 3:21 PM

anglosaxonengland
Reply

48. anglosaxonengland

Posts: 64; Member since: Sep 11, 2013

He's probably a those hackers who bunked off school. That'd probably explain his poor language skills, and denial.

posted on May 06, 2016, 9:23 PM

dariansdad
Reply

44. dariansdad

Posts: 1; Member since: Jul 28, 2015

Yes, because I'm smarter than you're.

posted on Jul 28, 2015, 9:41 AM

engineer-1701d unregistered
Reply

41. engineer-1701d unregistered

who the hell has pre jelly bean i mean if they do please crash them so they can get a new phone

posted on Jul 27, 2015, 11:12 PM

Plutonium239
Reply

4. Plutonium239

Posts: 1178; Member since: Mar 17, 2015

Apps from the google playstore contain malware, and besides that, this is exploited via MMS.

posted on Jul 27, 2015, 12:42 PM

legiloca
Reply

36. legiloca

Posts: 1675; Member since: Nov 11, 2014

hey you, read the whole article 1st before making such bs

posted on Jul 27, 2015, 7:47 PM

srirachacha
Reply

39. srirachacha

Posts: 23; Member since: Mar 06, 2015

I feel like you should read what you replied to again..

posted on Jul 27, 2015, 8:59 PM

JunitoNH
Reply

47. JunitoNH

Posts: 1946; Member since: Feb 15, 2012

I don't think "muchacho" read the article.

posted on Jul 30, 2015, 3:22 PM

TezzaBP
Reply

7. TezzaBP

Posts: 274; Member since: May 18, 2015

Yeah quit your bulls**t and actually read the damn article before commenting

posted on Jul 27, 2015, 12:45 PM

jellmoo
Reply

12. jellmoo

Posts: 2541; Member since: Oct 31, 2011

Whew, I was worried for a second, but your anecdotal evidence of a single user being malware free for 5 years has convinced me that my device is immune to attack.

posted on Jul 27, 2015, 12:58 PM

Plutonium239
Reply

14. Plutonium239

Posts: 1178; Member since: Mar 17, 2015

He may be infected with malware without knowing it. He is already infected with Google's adware/spyware. :)

posted on Jul 27, 2015, 1:07 PM

ihavenoname
Reply

17. ihavenoname

Posts: 1693; Member since: Aug 18, 2013

And you think that Apple/Microsoft don't spy their users?

posted on Jul 27, 2015, 1:23 PM

Scott93274
Reply

20. Scott93274

Posts: 6030; Member since: Aug 06, 2013

They think smart devices are effective without knowing a damn thing about the person using it. They're foolish.

posted on Jul 27, 2015, 1:51 PM

joey_sfb
Reply

37. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

So many Troll accounts being made to satisfy one insecurity.

posted on Jul 27, 2015, 8:28 PM

Mxyzptlk unregistered
Reply

28. Mxyzptlk unregistered

Bla bla bla your in denial.

posted on Jul 27, 2015, 4:08 PM

Scott93274
Reply

5. Scott93274

Posts: 6030; Member since: Aug 06, 2013

Well, Google already has a fix for it, the problem is getting carriers to push it out... I'm on Verizon, I guess I'm screwed. At least I don't use Hangouts. Alright, I dislike iOS and I love Android, and even I have to say that Apple beats Google hands down in situations like pushing out updates... It's just unfortunate that Apple's updates usually are riddled with flaws/bugs.

posted on Jul 27, 2015, 12:43 PM

Niva.
Reply

8. Niva.

Posts: 440; Member since: Jan 05, 2015

This is why if you have/buy a non-nexus phone you are comitting a sin.

posted on Jul 27, 2015, 12:48 PM

Scott93274
Reply

21. Scott93274

Posts: 6030; Member since: Aug 06, 2013

Well, Carriers can still hold up patches. I had a Galaxy Nexus and Verizon was a thorn in Google's side when it came to providing updates to that phone.... despite it being a Nexus device.

posted on Jul 27, 2015, 1:52 PM

Plutonium239
Reply

6. Plutonium239

Posts: 1178; Member since: Mar 17, 2015

I am glad I don't use Android. It is not as secure as Windows Phone. And I am not at the mercy of my carrier to get updates, Microsoft provides an easy way around this with the preview for developers app.

posted on Jul 27, 2015, 12:43 PM

joey_sfb
Reply

38. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Windows are never known their strong security. Do you know how many security apps I need to install to make it acceptable. First is an antivirus - bitfender Second Malware scanner - Malwarebytes Third is a Firewall - Windows 10 firewall controls. Finally - encrypt the HDD. For me popular OS are always targeted regardless whether it's Windows or Android. It's user responsible to ensure their device is secure.

posted on Jul 27, 2015, 8:42 PM

RoboticEngi
Reply

9. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

Click bait........ They all have been the worst malware/virus/exploit/vulnability. And yet I really haven't been reading of millions or at least hundreds of thousands of androidusers loosing money, data etc......If all these "bad" was e real threat, why aren't we hearing about all the infected users loosing money/personal data? I mean there is over 1 billion users, where are all the ones infected ? Why don't we ever hear from them?

posted on Jul 27, 2015, 12:48 PM

elitewolverine
Reply

34. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Because they don't know where the vunerability came from. In fact the most unsecure place is the bank apps, they were rated number 1 in security vunerablity. Just like there is over a billion windows devices, we don't see the collapse of the world because there are many virus' for it. But it is not hard to see, simply do a search, I could fill PA entire news page daily, with dozens of forums about someone being hacked, spyed on, or compromised. In fact in my daily job, I get to deal with....."My phone is saying it has been locked due to child pornography, and info will be released to the FBI if I don't pay 250 bucks." Low and behold it was dubbed the FBI hack and went by over a dozen app/process names that could only be fixed by a safemode reboot and removal (unless the app had secured admin privlages so that it couldn't be removed), or master reset. This is daily. Believe it or not, they don't blame google because half the people are unaware that Google even made the code to begin with. They always say, well I got this phone because it had google on it. They literally think that iPhone, windows, blackberry, or other devices have ZERO google access, until I show them my phone with google email, calendar, etc on my phone. So when s**t happens they don't blame android, to them, while the phone is a PC they blame, Samsung, Sony, Verizon, and more, without once stopping to think....oh fck Android is the problem. In fact I dare you to call TMobile, ask about the virus on your phone talking about an FBI warning. They will search their documents, and give you information about the virus. They only put in official documents problems that affect call volume to thousands more a day. They have other docs to deal with it as well. The point of this long arse post to your baby clouded world? You literally have no freaking clue about the average consumer. And here is a link that took 2 seconds with horrible wording "Android billion dollar virus" as the search term,https://www.virusbtn.com/conference/vb2013/abstracts/Mullaney.xml

posted on Jul 27, 2015, 7:18 PM

Veigald
Reply

45. Veigald

Posts: 290; Member since: Jan 13, 2012

Guess when even CNN reports about it, it's pretty serious.

posted on Jul 29, 2015, 6:26 AM

view all comments
Want to comment? Please Log in or sign up.

Featured stories

New-Pixel-4-renders-appear
Check out the latest Google Pixel 4 renders
Best-free-games-android-phone-tablet-2019
Best free Android games to play on your phone or tablet in 2019
FaceApps-incredible-overnight-success-gives-us-a-few-important-lessons
FaceApp's incredible overnight success gives us a few important lessons
Google-Pixel-4-XL-specs-leak
Alleged Google Pixel 4 & Pixel 4 XL specs emerge in new leak
samsung-galaxy-tab-s6-leaked-new-press-renders-specs-features
Massive new leak reveals the high-end Samsung Galaxy Tab S6 in all its glory
Apple-iPhone-11-Max-design-camera-dummy-unit
Here's what the iPhone 11 Max will probably look like
Note-10-Exynos-9825-Snapdragon-855-Plus-top-benchmarks
Note 10 may be the fastest Android alive as new Exynos 9825 and Snapdragon 855+ benchmarks leak
What-is-Note-10-Sound-on-Display-soundcasting-all-screen-design-technology-explained
Here's how Note 10 may use Sound on Display tech to get an 'all-screen' design

Popular stories

best-buy-samsung-galaxy-s10-family-deals-massive-discounts-carrier-activation
Best Buy is now offering discounts of between $400 and $500 on the entire Galaxy S10 family
Best-Buy-deal-takes-as-much-as-80-percent-off-of-the-Moto-G7-Power
Moto G7 Power and its 5000mAh battery on sale for as low as $49.99 at Best Buy
best-buy-massive-sale-moto-g7-family-moto-z3-play-more
Best Buy is running a massive sale on Moto G7 phones, the Moto Z3 Play, and more
amazon-fire-hd-8-woot-deal-brand-new-units-with-warranty
Woot has brand-new Amazon Fire HD 8 units on sale at big discounts, no Prime needed
T-Mobile-will-give-you-a-free-phone-when-you-add-a-line
New and existing T-Mobile customers can score a free phone by adding a new line
Google-Pixel-4-XL-Hole-on-the-front-raises-questions
Google Pixel 4 XL will come with a mysterious new sensor: what is it?
woot-deals-google-pixel-3-pixel-2-original-pixel-refurbished-warranty
Woot is deeply discounting every high-end Google Pixel phone ever released (refurbished)
Update-bricks-Verizon-Galaxy-S10-units
Samsung says there is only one fix for Verizon Galaxy S10 units bricked by the latest update

Hot phones

Latest Stories

View more
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.