'Stagefright' vulnerability compromises Android phones with 1 text message, may affect 950M devices

Posted:
in iPhone edited August 2015
A newly discovered security issue in the Android mobile operating system dubbed "Stagefright" has been called one of the worst vulnerabilities to date, and could present a critical issue for some 95 percent of devices in users' hands.




Stagefright is the name for a system service in Android that processes various media formats, implemented in native C++ code. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright can be exploited through a variety of methods, the most dangerous of which requires zero user interaction.

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Zimperium explained. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."

The exploit is said to affect Android devices after and including version 2.2, also known as Froyo. In a series of screenshots, Zimperium showed how the exploit was used to trigger the vulnerable code via an MMS on a Nexus 5 running Android Lollipop 5.1.1.




Zimperium reported the vulnerability to Google and also submitted patches to address the issue, and the search giant did apply the patches to internal code branches of Android within 48 hours.

But because many users are not running the latest version of Android --?in many cases because they simply cannot, thanks to restrictions in place by handset makers --?the vulnerability is said to affect an estimated 95 percent of Android device owners. That would mean some 950 million Android handsets could be affected by the exploit.

In contrast, Apple's website reveals that 85 percent of its users are running iOS 8 or later, its latest-generation operating system. Another 13 percent are on iOS 7, while the remaining users running earlier versions account for just 2 percent.

Drake's research on Stagefright is set to be presented at the Black Hat USA confrence on Aug. 5, and at DEF CON 3 on Aug. 7.
«1345678

Comments

  • Reply 1 of 157
    solipsismysolipsismy Posts: 5,099member
    I wonder how much national media attention this will get.
  • Reply 2 of 157
    chadbagchadbag Posts: 1,999member
    Quote:

    Originally Posted by SolipsismY View Post



    I wonder how much national media attention this will get.



    I've seen in in news.google.com multiple times today from multiple outlets.  So it seems to be getting attention.

     

     

    Android is the Windows 95 of the phone world.

  • Reply 3 of 157
    dasanman69dasanman69 Posts: 13,002member
    How many 'worse vulnerabilities' can there be?
  • Reply 4 of 157
    davendaven Posts: 696member
    To Google's credit, they applied the supplied fix quickly to their internal builds. On Android user's detriment, most will never be able to obtain the fix because of the way Google licenses Android.
  • Reply 5 of 157
    solipsismysolipsismy Posts: 5,099member
    dasanman69 wrote: »
    How many 'worse vulnerabilities' can there be?

    Off hand I'd say the number is infinite.
  • Reply 6 of 157
    jupiteronejupiterone Posts: 1,564member
    solipsismy wrote: »
    I wonder how much national media attention this will get.

    I heard this on NPR yesterday morning.
  • Reply 7 of 157
    solipsismysolipsismy Posts: 5,099member
    daven wrote: »
    To Google's credit, they applied the supplied fix quickly to their internal builds. On Android user's detriment, most will never be able to obtain the fix because of the way Google licenses Android.

    It's too bad they can't compartmentalize more of their codebase so that fixes for these severe and easily accessible* vulnerabilities can be more easily administered.

    * meaning, the attacker can easy exploit the device, typically remotely, and the extent of the exploit is to allow extensive system access.
  • Reply 8 of 157
    sog35 wrote: »
    and that's why Android sucks.

    Your phone will be unable to update after 12 months.  Or if you buy a cheaper phone, never updated.
    Not quite Samsung, HTC, lg, and Motorola have been doing a great job supporting their devices. (I mean the time it takes to take source code recode to the specifics of a device and test it). International phones get updates in under two months and many cases now. Remember Android is not iOS and these things take longer when you don't make the software.

    I personally for my Android phone use CM12 so I have been patched.
  • Reply 9 of 157
    Quote:

    Originally Posted by AppleInsider View Post



    A newly discovered security issue in the Android mobile operating system dubbed "Stagefright" has been called one of the worst vulnerabilities to date, and could present a critical issue for some 95 percent of devices in users' hands.

     


     

    Where do these logos / branding images come from? These underground hackers have great PR departments.

  • Reply 10 of 157
    Let's put this into perspective. The population of North America is about 565 million. That means if an attack were to kick off, EVERY Andriod handset in the Western Hemisphere would be compromised! Why isn't this national news???
  • Reply 11 of 157
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by AppleInsider View Post



    "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."

    Surely the exploit can do more than delete its own MMS message. Does the attacker get control of the device?

  • Reply 12 of 157
    solipsismysolipsismy Posts: 5,099member
    Not quite Samsung, HTC, lg, and Motorola have been doing a great job supporting their devices.

    Is that really the case, or just the case for their flagship devices? For example, will the Samsung Galaxy Stardust get this patch?
  • Reply 13 of 157
    MacProMacPro Posts: 19,712member
    But at least they are not in a crappy walled garden like is Apple folks :D
  • Reply 14 of 157
    MacProMacPro Posts: 19,712member
    Let's put this into perspective. The population of North America is about 565 million. That means if an attack were to kick off, EVERY Andriod handset in the Western Hemisphere would be compromised! Why isn't this national news???

    That reminds me of the old joke, 'what do you call ten lawyers at the bottom of the river?' A start.
  • Reply 15 of 157
    formosaformosa Posts: 261member
    Quote:
    Originally Posted by AppleInsider View Post



    But because many users are not running the latest version of Android --?in many cases because they simply cannot, thanks to restrictions in place by handset makers --?the vulnerability is said to affect an estimated 95 percent of Android device owners.

     

    Quote:
    Originally Posted by sog35 View Post

     

    How old is your phone?  After 12 months most phones don't get updates from carriers.

     

    If you buy an older phone you get no updates at all.


     

    How Apple wrested away the ability to update the phone without the carrier's involvement was a monumental achievement. In eight years, no other smartphone company can still do the same.

  • Reply 16 of 157



    HAHA! Now THAT'S funny!

  • Reply 17 of 157
    dasanman69dasanman69 Posts: 13,002member
    formosa wrote: »
    But because many users are not running the latest version of Android --?in many cases because they simply cannot, thanks to restrictions in place by handset makers --?the vulnerability is said to affect an estimated 95 percent of Android device owners.
    sog35 wrote: »
    How old is your phone?  After 12 months most phones don't get updates from carriers.

    If you buy an older phone you get no updates at all.

    How Apple wrested away the ability to update the phone without the carrier's involvement was a monumental achievement. In eight years, no other smartphone company can still do the same.

    Wrong. Google updates its Nexus devices the way Apple does.
  • Reply 18 of 157
    chadbagchadbag Posts: 1,999member
    Quote:

    Originally Posted by dasanman69 View Post





    Wrong. Google updates its Nexus devices the way Apple does.



    And how many Nexus devices are out there compared to other Android devices?   Apple does it with ALL their devices.   So yes, quite.

     

    Google sold Nexus themselves.  They did not go through carriers.

  • Reply 19 of 157
    solipsismysolipsismy Posts: 5,099member
    formosa wrote: »

    How Apple wrested away the ability to update the phone without the carrier's involvement was a monumental achievement. In eight years, no other smartphone company can still do the same.

    Why are other smartphone vendors so dependent on the carriers that updates have to go through them? Is getting paid by the carriers to allow them to push crapware on the devices the only way they can make money on the devices? Is there another reason?
  • Reply 20 of 157
    afrodriafrodri Posts: 190member
    Quote:

    Originally Posted by Prince Brian View Post



    Let's put this into perspective. The population of North America is about 565 million. That means if an attack were to kick off, EVERY Andriod handset in the Western Hemisphere would be compromised! Why isn't this national news???

     

    It is national news – https://www.google.com/search?q=stagefright+android ; shows thousands of stories on it.

Sign In or Register to comment.