'Stagefright' vulnerability compromises Android phones with 1 text message, may affect 950M devices
A newly discovered security issue in the Android mobile operating system dubbed "Stagefright" has been called one of the worst vulnerabilities to date, and could present a critical issue for some 95 percent of devices in users' hands.
Stagefright is the name for a system service in Android that processes various media formats, implemented in native C++ code. Researcher Joshua J. Drake with Zimperium zLabs discovered that Stagefright can be exploited through a variety of methods, the most dangerous of which requires zero user interaction.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," Zimperium explained. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."
The exploit is said to affect Android devices after and including version 2.2, also known as Froyo. In a series of screenshots, Zimperium showed how the exploit was used to trigger the vulnerable code via an MMS on a Nexus 5 running Android Lollipop 5.1.1.
Zimperium reported the vulnerability to Google and also submitted patches to address the issue, and the search giant did apply the patches to internal code branches of Android within 48 hours.
But because many users are not running the latest version of Android — Â in many cases because they simply cannot, thanks to restrictions in place by handset makers — Â the vulnerability is said to affect an estimated 95 percent of Android device owners. That would mean some 950 million Android handsets could be affected by the exploit.
In contrast, Apple's website reveals that 85 percent of its users are running iOS 8 or later, its latest-generation operating system. Another 13 percent are on iOS 7, while the remaining users running earlier versions account for just 2 percent.
Drake's research on Stagefright is set to be presented at the Black Hat USA confrence on Aug. 5, and at DEF CON 3 on Aug. 7.