Meet 'Stagefright', the worst Android vulnerability in mobile OS history

Meet 'Stagefright', the worst Android vulnerability in mobile OS history
A team of mobile security researchers claims that about 950 million Android smartphones and tablets across the globe are subject to a critical vulnerability. According to their report, attackers can use this vulnerability, nicknamed Stagefright after the source of the issue, to take control of your device through a malicious MMS.

The vulnerability seems to be caused by insecure code contained within Stagefright, which has been Android's multimedia library since Android 2.2 FroYo came out in May 2010. Since Stagefright has been used for so many Android versions, the researchers claim that 95% of all Android devices currently out there manifest this vulnerability, but devices running pre-Jelly Bean versions of Android, or about 15% of active Android devices, are the most vulnerable. The researchers who have discovered the vulnerability claim that 'Stagefright' is "the worst Android vulnerabilities [sic] discovered to date".

According to researchers at Zimperium Mobile Security, attackers can get an Android device to execute code remotely by sending an MMS which the Android system believes to contain a video. In some of the most vulnerable scenarios (devices running pre-Jellybean Android versions), the user doesn't even have to open the MMS for the hack to work, and skilled attackers could also remove the MMS once the damage has been done. 

In other words, you can go to bed one night, and when you wake up, all you'll notice is a notification for an unread multimedia message that has been deleted in the meantime. Without you knowing it, an attacker could have gained access to the cameras, the microphone, and other sensitive data. Fortunately, due to the way Android sandboxes apps, the vulnerability doesn't expose all of your data, but still a lot of damage could come from such an exploit. 

Zimperium did not share all the details regarding Android's Stagefright vulnerability, but the team of researchers promised to discuss the bug in detail at the Black Hat USA conference on August 5 and at DEF CON 23 on August 7. The researchers did leave us with one glimmer of hope, claiming that there's no evidence of the vulnerability being exploited by anyone thus far.

According to Zimperium, Google was quick to come up with a patch for the vulnerability once informed of the vulnerable code's existence. But as it is often the case, Google is left helpless with deploying the patch to vulnerable devices. With the exception of Nexus and Google Play Edition devices, Google is not able to launch patches directly. Device manufacturers and carriers are the ones in charge with rolling out software updates, and experience tells us that some companies can take quite a bit of time to launch patches even for the most significant of vulnerabilities.

Hopefully, Android device manufacturers and carriers will recognize the severity of this vulnerability and will hurry to launch the patch for the new Stagefright bug/hack/exploit.

source: Zimperium via TheVerge

FEATURED VIDEO

46 Comments

1. shaineql

Posts: 521; Member since: Apr 28, 2014

Bla bla bla , so much viruses yet 5 years straight my devices running flawless. Use Google Play Store only and you are 100% save from all this bulls**t .

2. ericnichols1999

Posts: 53; Member since: Apr 21, 2014

I feel like you didn't read the article

3. shaineql

Posts: 521; Member since: Apr 28, 2014

Ya ya, so ded , my phone gone , omg such vaunrability , lel.

29. Mxyzptlk unregistered

You're English is horrible. Don't be in denial salty one.

40. Scott93274

Posts: 6025; Member since: Aug 06, 2013

I know you're going to get pissed off at me for this statement, but if you're going to criticize someone for poor English, you should at least know the difference between your & you're. You use both of them in comments 28 and 29 and both are used incorrectly.

42. Mxyzptlk unregistered

At least you can understand me. I have no clue what he was trying to say

43. Scott93274

Posts: 6025; Member since: Aug 06, 2013

Alright, I'll have to agree with you there. LOL

46. JunitoNH

Posts: 1946; Member since: Feb 15, 2012

English is not his first language, for sure.

48. anglosaxonengland

Posts: 64; Member since: Sep 11, 2013

He's probably a those hackers who bunked off school. That'd probably explain his poor language skills, and denial.

44. dariansdad

Posts: 1; Member since: Jul 28, 2015

Yes, because I'm smarter than you're.

41. engineer-1701d unregistered

who the hell has pre jelly bean i mean if they do please crash them so they can get a new phone

4. Plutonium239

Posts: 1154; Member since: Mar 17, 2015

Apps from the google playstore contain malware, and besides that, this is exploited via MMS.

36. legiloca

Posts: 1675; Member since: Nov 11, 2014

hey you, read the whole article 1st before making such bs

39. srirachacha

Posts: 23; Member since: Mar 06, 2015

I feel like you should read what you replied to again..

47. JunitoNH

Posts: 1946; Member since: Feb 15, 2012

I don't think "muchacho" read the article.

7. TezzaBP

Posts: 274; Member since: May 18, 2015

Yeah quit your bulls**t and actually read the damn article before commenting

12. jellmoo

Posts: 2531; Member since: Oct 31, 2011

Whew, I was worried for a second, but your anecdotal evidence of a single user being malware free for 5 years has convinced me that my device is immune to attack.

14. Plutonium239

Posts: 1154; Member since: Mar 17, 2015

He may be infected with malware without knowing it. He is already infected with Google's adware/spyware. :)

17. ihavenoname

Posts: 1693; Member since: Aug 18, 2013

And you think that Apple/Microsoft don't spy their users?

20. Scott93274

Posts: 6025; Member since: Aug 06, 2013

They think smart devices are effective without knowing a damn thing about the person using it. They're foolish.

37. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

So many Troll accounts being made to satisfy one insecurity.

28. Mxyzptlk unregistered

Bla bla bla your in denial.

5. Scott93274

Posts: 6025; Member since: Aug 06, 2013

Well, Google already has a fix for it, the problem is getting carriers to push it out... I'm on Verizon, I guess I'm screwed. At least I don't use Hangouts. Alright, I dislike iOS and I love Android, and even I have to say that Apple beats Google hands down in situations like pushing out updates... It's just unfortunate that Apple's updates usually are riddled with flaws/bugs.

8. Niva.

Posts: 440; Member since: Jan 05, 2015

This is why if you have/buy a non-nexus phone you are comitting a sin.

21. Scott93274

Posts: 6025; Member since: Aug 06, 2013

Well, Carriers can still hold up patches. I had a Galaxy Nexus and Verizon was a thorn in Google's side when it came to providing updates to that phone.... despite it being a Nexus device.

6. Plutonium239

Posts: 1154; Member since: Mar 17, 2015

I am glad I don't use Android. It is not as secure as Windows Phone. And I am not at the mercy of my carrier to get updates, Microsoft provides an easy way around this with the preview for developers app.

38. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Windows are never known their strong security. Do you know how many security apps I need to install to make it acceptable. First is an antivirus - bitfender Second Malware scanner - Malwarebytes Third is a Firewall - Windows 10 firewall controls. Finally - encrypt the HDD. For me popular OS are always targeted regardless whether it's Windows or Android. It's user responsible to ensure their device is secure.

9. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

Click bait........ They all have been the worst malware/virus/exploit/vulnability. And yet I really haven't been reading of millions or at least hundreds of thousands of androidusers loosing money, data etc......If all these "bad" was e real threat, why aren't we hearing about all the infected users loosing money/personal data? I mean there is over 1 billion users, where are all the ones infected ? Why don't we ever hear from them?

34. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Because they don't know where the vunerability came from. In fact the most unsecure place is the bank apps, they were rated number 1 in security vunerablity. Just like there is over a billion windows devices, we don't see the collapse of the world because there are many virus' for it. But it is not hard to see, simply do a search, I could fill PA entire news page daily, with dozens of forums about someone being hacked, spyed on, or compromised. In fact in my daily job, I get to deal with....."My phone is saying it has been locked due to child pornography, and info will be released to the FBI if I don't pay 250 bucks." Low and behold it was dubbed the FBI hack and went by over a dozen app/process names that could only be fixed by a safemode reboot and removal (unless the app had secured admin privlages so that it couldn't be removed), or master reset. This is daily. Believe it or not, they don't blame google because half the people are unaware that Google even made the code to begin with. They always say, well I got this phone because it had google on it. They literally think that iPhone, windows, blackberry, or other devices have ZERO google access, until I show them my phone with google email, calendar, etc on my phone. So when s**t happens they don't blame android, to them, while the phone is a PC they blame, Samsung, Sony, Verizon, and more, without once stopping to think....oh fck Android is the problem. In fact I dare you to call TMobile, ask about the virus on your phone talking about an FBI warning. They will search their documents, and give you information about the virus. They only put in official documents problems that affect call volume to thousands more a day. They have other docs to deal with it as well. The point of this long arse post to your baby clouded world? You literally have no freaking clue about the average consumer. And here is a link that took 2 seconds with horrible wording "Android billion dollar virus" as the search term,https://www.virusbtn.com/conference/vb2013/abstracts/Mullaney.xml

45. Veigald

Posts: 290; Member since: Jan 13, 2012

Guess when even CNN reports about it, it's pretty serious.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.