Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

'Stagefright' vulnerability compromises Android phones with 1 text message, may affect 950M devices

A newly discovered security issue in the Android mobile operating system dubbed "Stagefright" has been called one of the worst vulnerabilities to date, and could present a critical issue for some 95 percent of devices in users' hands.

Stagefright is the name for a system service in Android that processes various media formats, implemented in native C++ code. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright can be exploited through a variety of methods, the most dangerous of which requires zero user interaction.

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Zimperium explained. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."

The exploit is said to affect Android devices after and including version 2.2, also known as Froyo. In a series of screenshots, Zimperium showed how the exploit was used to trigger the vulnerable code via an MMS on a Nexus 5 running Android Lollipop 5.1.1.

Zimperium reported the vulnerability to Google and also submitted patches to address the issue, and the search giant did apply the patches to internal code branches of Android within 48 hours.

But because many users are not running the latest version of Android —  in many cases because they simply cannot, thanks to restrictions in place by handset makers —  the vulnerability is said to affect an estimated 95 percent of Android device owners. That would mean some 950 million Android handsets could be affected by the exploit.

In contrast, Apple's website reveals that 85 percent of its users are running iOS 8 or later, its latest-generation operating system. Another 13 percent are on iOS 7, while the remaining users running earlier versions account for just 2 percent.

Drake's research on Stagefright is set to be presented at the Black Hat USA confrence on Aug. 5, and at DEF CON 3 on Aug. 7.



157 Comments

solipsismy 10 Years · 5099 comments

I wonder how much national media attention this will get.

chadbag 13 Years · 2029 comments

Quote:
Originally Posted by SolipsismY 

I wonder how much national media attention this will get.


I've seen in in news.google.com multiple times today from multiple outlets.  So it seems to be getting attention.

 

 

Android is the Windows 95 of the phone world.

dasanman69 15 Years · 12999 comments

How many 'worse vulnerabilities' can there be?

daven 16 Years · 722 comments

To Google's credit, they applied the supplied fix quickly to their internal builds. On Android user's detriment, most will never be able to obtain the fix because of the way Google licenses Android.

solipsismy 10 Years · 5099 comments

[quote name="dasanman69" url="/t/187392/stagefright-vulnerability-compromises-android-phones-with-1-text-message-may-affect-950m-devices#post_2753741"]How many 'worse vulnerabilities' can there be?[/quote] Off hand I'd say the number is infinite.