A bug in Android media playback engine has opened up a very nasty security hole for most of the world's Android devices. Now it's up to vendors and telcos to patch it.
Image: Family O'Abé
Stagefright is the native media playback engine for all versions of Android since 2.2 ("Froyo") and the attack is said to be very simple indeed, requiring only the phone number of the handset in question in order to execute remote code. The bug was discovered by Zimperium zLabs who state that they'll release full details of the flaw at the Black Hat conference next week in Las Vegas.
It's a worrying flaw on two fronts. Firstly, it's not an exploit that requires any kind of user action to implement in any way at all. The example cited is to send a vulnerable device a simple MMS which can then self-delete.
Then there's the issue that Android updates for older devices are often an afterthought; the bug is said to be particularly worrying for any devices older than Android 4.2 as they lack certain exploit mitigations built into newer versions of Android.