Thursday, 30 July 2015 17:31

Stagefright vulnerability leaves almost 1B Android users in the lurch


A serious vulnerability in most versions of Android has been revealed before any major phone vendors have released patches for their devices.

Zimperium zLabs security researcher Joshua Drake discovered a series of flaws in Stagefright - Android's media playback engine - that have serious implications.

Zimperium described it as "Mother of all Android Vulnerabilities" - not only does it affect 95% of Android devices (the bugs are present as far back as Android 2.2, so as many as 950,000,000 phones could be affected), but no user interaction is required and it seems that conventional security software is unable to provide protection.

Exploits can be delivered in the form of an MMS (Multimedia Messaging Service) message. Depending on the app used to process MMSes, the message may be processed automatically as it is received. An exploit could then execute code (eg, to record audio or video) and steal data accessible to Stagefright (eg, photos on the SD card).

Drake reported that if MMSes are handled by Google Hangouts, the exploit runs immediately and could be designed to automatically delete the message so the victim may never be aware of what had happened.

Where the Messenger app is used, the exploit runs when the message is looked at, even if the user does not play any of the content.

According to Symantec's Norton operation, a degree of protection can be achieved by disabling Auto Retrieve MMS in the relevant app, such as Messaging, Messenger, Google Chat or Google Hangout.

But "It is important to keep in mind, this is only a partial, temporary solution. Even with auto-retrieve MMS turned off, it is possible for a user to accidentally download a malicious message."

The real fix is to apply the necessary patch from the device manufacturer, but the problem is that phones running Android versions from 2.2 to 4.0 are historically less likely to receive updates and those operating systems lack refinements that make it harder to exploit vulnerabilities.

Symantec also warned that Norton Security does not provide protection against the Stagefright vulnerability.

According to Forbes, Google will push out patches to Nexus devices next week.

Other vendors have made vague statements about forthcoming updates, but unless your phone is quite new and running a very recent version of Android it is quite possible that the maker will quietly ignore it. For example, the Fake ID vulnerability disclosed this time last year is still present in a fully-updated Samsung Galaxy S3.

That's a worry, as Drake will be revealing details of the Stagefright vulnerabilities at the Black Hat and Defcon conferences next week.

Furthermore, MMS isn't the only way of exploiting the vulnerability: the Firefox browser has already been patched to prevent malicious video files reaching Stagefright.

Is anyone safe? Fixes have already been released for Silent Circle's Blackphone and for the CyanogenMod fork of Android. And as mentioned above, mitigations in Android 4.1 and later may make it harder to create reliable or effective exploits for the vulnerability.

And at this stage nobody seems to be claiming that there are any exploits in the wild, but that could change after Drake spills the beans next week.


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments