Stagefright: Putting Android Vulnerabilities In The Spotlight

The worst Android hack affecting over 1B phones is exposed and discussed

By
Head Image
© 2017 Zimperium

Last month, the biggest security flaw in Android was unveiled by Zimperium. They showed us this “unicorn” that they found that puts all prior hacks to shame.

  Froyo.jpgYour Froyo is vulnerable to attack!

The worrisome part is that it affects not just a handful of devices or a particular manufacturer. In a few words, all Androids above version 2.2 are vulnerable to attack or about 950 million Androids.

The exploit grants permission by targeting the libStageFright mechanism.

What Is StageFright?

In this demo, Zimperium shows everyone how an MMS which contains the exploit can be sent and used even when the target Android’s screen is off.

The exploit grants permission by targeting the libStageFright mechanism. You do not even have to open the multimedia in the MMS for the attacker to gain control.

What are vulnerable? Well, only photos in the SD cards, unauthorized audio and video recording permissions, and Bluetooth control.

Manufacturers Responses

Stagefright has become such a hot topic that major manufacturers have heeded the call for the Zimperium Handset Alliance (ZHA) which already enjoys the commitment of over 25 of the largest global carriers and device manufacturers to accelerate update rollouts.

 

zimperium-logo.jpg Zimperium takes initiative with the ZHA

The need of these companies to share security data has never been more emphasized. Besides, the nature of the Android ecosystem already makes the delivery of updates mired with obstacles.

Android, which is open-source, can be tweaked by manufacturers.

Updates and Patches

Android, which is open-source, can be tweaked by manufacturers. A good example is Samsung. Also, carriers can add their own software too. Once Google comes out with an update, it is up to the carriers to release it on their phones.

This means that updates may be slow to come.

Google, Samsung, and Alcatel, have announced direct patches which address the Stagefright problem directly. Sony, HTC, LG, Motorola, and some others have also announced update patches this month.

One piece of good news is that there are no reported cases yet of Stagefright being used against users. Also, apps are now available to check if your Android is affected, such as StageFright Detector.