Science

‘Stagefright’ bug could ‘critically expose’ most Android phones

July 30, 2015 by Ben Shoichet Ben Shoichet No Comments

According to Drake, Google said they had issued patches for this vulnerability on May 8th.

And that is potentially a lot of phones. Pretty scary when you consider than almost 80 percent of all the smartphones in the world run Android.

The “Stagefright” exploit, which was discovered by Zimperium zLabs in April, is considered by the consultancy to be much worse than last year’s HeartBleed vulnerability.

Today, another mobile security firm, Zimperium brought light to another gaping hole in the Android OS.

He had kind words for one Android phone manufacturer, however, Silent Circle, the creator of the privacy-focused Blackphone smartphone, which has applied Drake’s fixes.

Zimperium not only reported the vulnerability to the Google teams, but also submitted patches. And worst of all, it affects nearly all Android devices since Android 2.2. And, as Google points out, Android is already designed with certain protections for user data.

All an attacker needs to do is create a short video, hide the malware inside and text it to your number.

The Hangouts home screen widget isn’t extraordinary, but with it, you can view conversations and check if there are new messages. “Using these privileges, an attacker can essentially spy on their victim by listening in on conversations or watching the device’s surroundings”.

Exactly when the device might be exploited depends on the messaging platform a user employs.

Here are the fast facts you need to know to get up to date on this new mobile vulnerability.

Google’s Android is in the spotlight once more, yet for no praise.

In the vast majority of cases, malicious hackers focus on operating systems that are most popular to maximize their market. While the security researcher isn’t sure how many apps use Stagefright, he assumes that any app that handles media files is linked somewhat to the framework. They are all “remote code execution” bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data.

To compound the threat to Android devices, Google is largely powerless when it comes to actually getting patches to users. For some devices, like the Samsung S4 or the LG Optimus Elite, the vulnerabilities can be used to completely take control of the gizmo.

Researchers confirmed Google was working on a fix. After that, it’s up to the vendor and/or carrier to push those updates to phones. It’s a rule even Google abides by when it finds flaws in others’ software. On Google Hangouts, you can manage your SMS messages and call landline and mobile devices.

Each warning system message shows up during the boot process with its own color to denote the severity of the warning after the operating system has been checked and verified. Part of the reason behind that estimate is that devices that are 18 months or older are unlikely to receive an update.

Drake will be reporting on these findings at the Black Hat hacker conference in Las Vegas next week.

There's a lot of candy bar options this time around. But will it be any of these

Leave a Reply