'Stagefright' vulnerability compromises Android phones with 1 text message, may affect 950M devices
A newly discovered security issue in the Android mobile operating system dubbed "Stagefright" has been called one of the worst vulnerabilities to date, and could present a critical issue for some 95 percent of devices in users' hands.
Stagefright is the name for a system service in Android that processes various media formats, implemented in native C++ code. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright can be exploited through a variety of methods, the most dangerous of which requires zero user interaction.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Zimperium explained. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
The exploit is said to affect Android devices after and including version 2.2, also known as Froyo. In a series of screenshots, Zimperium showed how the exploit was used to trigger the vulnerable code via an MMS on a Nexus 5 running Android Lollipop 5.1.1.
Zimperium reported the vulnerability to Google and also submitted patches to address the issue, and the search giant did apply the patches to internal code branches of Android within 48 hours.
But because many users are not running the latest version of Android --?in many cases because they simply cannot, thanks to restrictions in place by handset makers --?the vulnerability is said to affect an estimated 95 percent of Android device owners. That would mean some 950 million Android handsets could be affected by the exploit.
In contrast, Apple's website reveals that 85 percent of its users are running iOS 8 or later, its latest-generation operating system. Another 13 percent are on iOS 7, while the remaining users running earlier versions account for just 2 percent.
Drake's research on Stagefright is set to be presented at the Black Hat USA confrence on Aug. 5, and at DEF CON 3 on Aug. 7.
Stagefright is the name for a system service in Android that processes various media formats, implemented in native C++ code. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright can be exploited through a variety of methods, the most dangerous of which requires zero user interaction.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Zimperium explained. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
The exploit is said to affect Android devices after and including version 2.2, also known as Froyo. In a series of screenshots, Zimperium showed how the exploit was used to trigger the vulnerable code via an MMS on a Nexus 5 running Android Lollipop 5.1.1.
Zimperium reported the vulnerability to Google and also submitted patches to address the issue, and the search giant did apply the patches to internal code branches of Android within 48 hours.
But because many users are not running the latest version of Android --?in many cases because they simply cannot, thanks to restrictions in place by handset makers --?the vulnerability is said to affect an estimated 95 percent of Android device owners. That would mean some 950 million Android handsets could be affected by the exploit.
In contrast, Apple's website reveals that 85 percent of its users are running iOS 8 or later, its latest-generation operating system. Another 13 percent are on iOS 7, while the remaining users running earlier versions account for just 2 percent.
Drake's research on Stagefright is set to be presented at the Black Hat USA confrence on Aug. 5, and at DEF CON 3 on Aug. 7.
Comments
I wonder how much national media attention this will get.
I've seen in in news.google.com multiple times today from multiple outlets. So it seems to be getting attention.
Android is the Windows 95 of the phone world.
Off hand I'd say the number is infinite.
I heard this on NPR yesterday morning.
It's too bad they can't compartmentalize more of their codebase so that fixes for these severe and easily accessible* vulnerabilities can be more easily administered.
* meaning, the attacker can easy exploit the device, typically remotely, and the extent of the exploit is to allow extensive system access.
I personally for my Android phone use CM12 so I have been patched.
A newly discovered security issue in the Android mobile operating system dubbed "Stagefright" has been called one of the worst vulnerabilities to date, and could present a critical issue for some 95 percent of devices in users' hands.
Where do these logos / branding images come from? These underground hackers have great PR departments.
"A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
Surely the exploit can do more than delete its own MMS message. Does the attacker get control of the device?
Is that really the case, or just the case for their flagship devices? For example, will the Samsung Galaxy Stardust get this patch?
That reminds me of the old joke, 'what do you call ten lawyers at the bottom of the river?' A start.
But because many users are not running the latest version of Android --?in many cases because they simply cannot, thanks to restrictions in place by handset makers --?the vulnerability is said to affect an estimated 95 percent of Android device owners.
How old is your phone? After 12 months most phones don't get updates from carriers.
If you buy an older phone you get no updates at all.
How Apple wrested away the ability to update the phone without the carrier's involvement was a monumental achievement. In eight years, no other smartphone company can still do the same.
HAHA! Now THAT'S funny!
Wrong. Google updates its Nexus devices the way Apple does.
Wrong. Google updates its Nexus devices the way Apple does.
And how many Nexus devices are out there compared to other Android devices? Apple does it with ALL their devices. So yes, quite.
Google sold Nexus themselves. They did not go through carriers.
Why are other smartphone vendors so dependent on the carriers that updates have to go through them? Is getting paid by the carriers to allow them to push crapware on the devices the only way they can make money on the devices? Is there another reason?
Let's put this into perspective. The population of North America is about 565 million. That means if an attack were to kick off, EVERY Andriod handset in the Western Hemisphere would be compromised! Why isn't this national news???
It is national news – https://www.google.com/search?q=stagefright+android shows thousands of stories on it.