Security Alert: Stagefright Bug Affects Almost Every Android Phone

A bug in Android media playback engine has opened up a very nasty security hole for most of the world's Android devices. Now it's up to vendors and telcos to patch it.

Image: Family O'Abé

Stagefright is the native media playback engine for all versions of Android since 2.2 ("Froyo") and the attack is said to be very simple indeed, requiring only the phone number of the handset in question in order to execute remote code. The bug was discovered by Zimperium zLabs who state that they'll release full details of the flaw at the Black Hat conference next week in Las Vegas.

It's a worrying flaw on two fronts. Firstly, it's not an exploit that requires any kind of user action to implement in any way at all. The example cited is to send a vulnerable device a simple MMS which can then self-delete.

Then there's the issue that Android updates for older devices are often an afterthought; the bug is said to be particularly worrying for any devices older than Android 4.2 as they lack certain exploit mitigations built into newer versions of Android.

Android Stagefright Flaws Put 950 Million Devices At Risk [ThreatPost]


Comments

    There should be a law against releasing information on a security exploit to the public before its patched on all available devices...

      That will work for all the times black hats have notified manufacturers and they have done nothing for months or years until they go public. They don't fix exploits for security reasons they fix them for PR reasons.

      Often it is the publicity that forces their hand to patch it. There have been numerous examples where companies have denied exploits being present in their product, despite overwhelming evidence to the contrary.
      I'm struggling to recall the name of one at the moment, but there was a high profile case a few years (2011-2012?) ago, where a company publicly stated there was no issues, despite their helpdesk being hammered with people complaining of the issue.
      Later it was revealed the CEO and the upper management had full knowledge of the issue, but still chose to lie to the public, and in essence, call their customers liars.

    They'll probably patch this in M which is on the way.

      Both my work Samsungs are less than a year old and still waiting for their update to L so I think by the time they get updated to M my identity will be well and truly stolen.

        Wow, that's pretty shitty on Samsung's part. I don't really trust any of the carriers to do a decent job so I just stick with Nexus devices.

        Plus, if you're with Telstra it takes forever to get an update. Both the Xperia Z3 and Galaxy Note Edge Lollipop updates were delayed due to unnamed 'issues' seemingly discovered on the day they were meant to roll out

        That's pretty shitty on your carriers part I'm on an unbranded Samsung with L

    had to root my phone so i could get an update, the telcos are the ones responsible for patches, imagine if microsoft let dell or hp decide when to roll out windows patches

    Im sick of being at the mercy of Telstra for updates. My next phone will be a pure Google phone!

      Telstra still delayed update of L on Nexus devices.

        I was thinking of buying direct from the Google store. Surely that would by pass Telstra controlling the updates?

          Certainly does, you get your updates direct from Google, as the phone is carrier agnostic.

    To squash this bug, all you need to do is turn off auto-retrieve for MMS (picture messages using the SMS app)

    Then don't open MMS some suspicious people you don't know.

    Solution #2 is to disable MMS send/receive all together, which you can do by changing the Access Point Name settings in your phone.

    Then instead of a picture message from your mum (because anyone younger than your mum will be using an OTT app to send pics like whatsapp or viber or hangouts) you will get a text from your carrier asking you to visit a website to see that MMS. Much safer.

    Last edited 28/07/15 12:02 pm

      It said the example cited was using an MMS, it didnt say that was the only way to exploit this vulnerability.

      I use MMS all the time. Anyone with a phone these days has access to MMS, but trying to keep track of who uses Viber, whatsapp etc. Screw that. Why use 16 different apps when you can just use built in? I'm not so needy that I desperately need to see when/if someone read my message... Which is the only benefit to those apps that I can see.

      I'm 32 btw.

Join the discussion!