Stagefright: Worst Android Vulnerability Yet

Category: Mobile , Security

Remember back in June when you snickered at your iPhone friends, because a specially crafted text message could shut down their phones? It's payback time. A similar vulnerability in Android phones can do much scarier things. Here's what you need to know, and do…

What is the Android Stagefright Problem?

Researchers with Zimperium Mobile Security recently discovered a flaw in 95% of Android devices (of which there are an estimated 950 million) that allows hackers to remotely execute malware on a device if they only know its phone number. Here is how it can happen:

A bad guy need only send a specially-crafted MMS message to a target device. The malformed message overloads a vulnerable part of the device’s memory, essentially creating a “hole” in Android’s defenses through which malware can be injected. The malware can then take over complete control of the device, and even erase all signs of its invasion.

The really scary thing is that this attack does not require any action on the victim’s part. You can protect against phishing messages and rogue Web sites by not clicking on suspicious file attachments, links, and download buttons. But this attack can take place while you’re not even looking at your phone. The implanted malware can quickly erase any notification of the treacherous MMS message, and even the message itself.
Android Stagefright bug

The vulnerabilities (yes, plural) were discovered in an Android module code-named “Stagefright,” whose job is to display common multimedia files. Stagefright is written in so-called “native code,” (specifically, C++), which is more susceptible to this sort of memory corruption than languages such as Java, which were designed with memory-security in mind. However, native code executes faster, which is important for displaying multimedia; that’s why C++ was chosen for this portion of Android.

Android versions 2.2 and later are vulnerable; even the latest Lollipop 5.1.1 version contains this alarming flaw. Android versions earlier than Jelly Bean (roughly 11% of all devices) are especially vulnerable.

In an unusual move, Zimperium created patches for the Stagefright vulnerabilities and gave them to Google along with Zimperium’s documentation of each vulnerability. To Google’s credit, the patches were applied to the company’s internal “working copy” of Android within 48 hours. All copies of Android obtained directly from Google are now safe from Stagefright.

One More Hurdle...

But Google doesn’t update Android devices directly. New versions of “pure” Android go to device manufacturers and cellular service carriers. Those middlemen customize Android to their liking before installing their tweaked versions on devices and selling them. Once they’ve sold you a phone, these middlemen have little incentive to keep your copy of Android updated and secure. Devices older than 18 months are unlikely to get updates at all, because you’re expected to buy a new device every two years.

In the absence of a software fix from your carrier, one thing you can do to mitigate the risk is to turn off the "auto-retreive" option for MMS messages on your phone. (Google for instructions specific to your handset.) Doing this will require you to explicitly click to view a multimedia message, if one arrives from a person you don't know. Once the official fix is applied, you can turn auto-retrieve back on.

At least two group of users are already protected against Stagefright exploits, says Zimperium. Users of SilentCircle’s high-security Blackphone running PrivateOS v1.1.7 or higher are safe. In addition, if you've rooted your phone and installed CyanogenMod (a custom version of the Android operating system), you're okay. Enterprise customers of Zimperium’s Enterprise Mobile Threat Protection solution, zIPS, are also protected against Stagefright vulnerabilities. But consumer and small business users of Android have only one hope.

Call the maker of your Android device, and your cellular carrier, and demand to know when the Stagefright fix will be pushed to your device. Be persistent until you get it. Only if enough end users make enough noise will this extremely dangerous bug be fixed.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 29 Jul 2015

For Fun: Buy Bob a Snickers.

Prev Article:
Will YOU Pay the Netflix Tax?

The Top Twenty
Next Article:
Geekly Update - 30 July 2015

Most recent comments on "Stagefright: Worst Android Vulnerability Yet"

Posted by:

29 Jul 2015

Suckers like myself have a double whammy because I have an iPhone for work and Android for personal. Of course, I'm still better off than some of the politicians or athletes who don't seem to know how many phones they have or when they broke them:-)

Posted by:

29 Jul 2015

I'm planning on buying a new Samsung Galaxy Note IV tomorrow. Should Stagefright be an issue with a new phone, or should I ask about the patch?

EDITOR'S NOTE: Yes, ask.

Posted by:

29 Jul 2015

My daughter is buying a Motorola phone & mailing to me. Do I need to worry or do anything?

EDITOR'S NOTE: Well, yes. You need to take the action I recommended in the article (turn off SMS auto-retrieve) and contact the carrier for a permanent fix.

Posted by:

29 Jul 2015

Barbara, I don't know about the latest Galaxy Note 4 but I doubt it has the fix yet. I have a Galaxy Note 4 (AT&T version -- each providers version is slightly different). I did get an update yesterday from AT&T but I don't know what's in it. I would be surprised if it the fix for this issue. It could be months before the fix makes it out to the phone unless you buy the Samsung international version which will probably get the update faster.

If you want the best/latest version of the software, buy a Google Nexus, but you may or may not like the phone as well (screen, the Note S-Pen, other modifications by Samsung or others).

Google is designing the next version of Android so that the portions of the system are not quite so tightly integrated and they would be able to push out patches to the core OS separately from the carriers.

Posted by:

29 Jul 2015

Are those with Nexus phones safe since Nexus gets updates direct from Google?

EDITOR'S NOTE: You'll get an auto-update from Google soon.

Posted by:

Thomas Mackowiak
29 Jul 2015

Excuse me but I have no idea what I have to do to make this recommended change to the three Sprint Samsung Galaxy S5 phones in my family. One of the phones is used by a teenage Granddaughter. Can someone give me some help as to how I turn off auto-retrieve on a Sprint Samsung Galaxy S5? Thank you!

EDITOR'S NOTE: Click here:

Posted by:

30 Jul 2015

Two people in my family have a Motorola Razr M cell phone (older models). How can we tell is their phones are infected or compromised?

Secondly, I have an iPhone 5C and turned off the automatic display of text messages. Has that vulnerability been fixed yet? Is it safe for me to go back to having the phone show text messages as before?
Thank you!

Posted by:

Ken Mitchell
30 Jul 2015

If you install the "TextSecure" app to replace the standard Android SMS app, it prevents the automatic download of multi-media messages.

Posted by:

30 Jul 2015

Hi Bob
I'm smiling at these problems with Android and Iphones because my old Sammy Wave uses Bada (remember that?) so now I don't feel so stupid at sticking with unfashionable software.....

Posted by:

30 Jul 2015

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important!

Note this*! tsk, tsk.

> You need to take the action I recommended in the article (turn off SMS auto-*retreive) and contact the carrier for a permanent fix.

EDITOR'S NOTE: Fixed now, thanks. :-)

Posted by:

Mr Ed
30 Jul 2015

I contacted T-Mobile. They are apparently sitting on their hands waiting for a patch from Samsung. They have no idea when a patch will be available, but were unhappy with my suggestion that the only way for me to get a patch at this time was to root my phone. They suggested that I contact Samsung. (As if I have more influence on Samsung than they do!)

Posted by:

30 Jul 2015

Doesn't the article tell us to turn off MMS, not SMS? Why does Dennis' comment mention turning off SMS auto-retrieve (correct spelling here). Bob's article says, "In the absence of a software fix from your carrier, one thing you can do to mitigate the risk is to turn off the "auto-retreive" option for MMS messages on your phone."
Bob, on my old Android 2.2 version, I was able to find my MMS auto-retrieve option and turn it off. Thank you for your post. Is it safe to turn it on only to receive photo messages from friends and then turn it off again? Or, would that short window of time allow Stagefright to enter my phone had it'd been waiting in the wings? Thanks again.

Posted by:

31 Jul 2015

In an era of viber and facebook, who uses MMS anymore? I am protected in a that way that my MMS is not configured.

Posted by:

31 Jul 2015

November 2013 I purchased a 10" Android tablet with 4.0 installed. The manufacturer allowed an upgrade to 4.2.2. A couple months back I contacted the manufacturer about an upgrade to 5. NO DICE. We have a newer model of your tablet and yours will not be updated. My feelings about Android? A joke- toy, of an operating system. Waste of $160. Lumia Windows phone I have? $100 investment, like it. More of a real OS than Android. More functional. Free upgrade to Windows 10 OS. Thanks for your articles, Bob. Any vulnerabilities to Windows phone OS (8.1-10) to report?

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Stagefright: Worst Android Vulnerability Yet (Posted: 29 Jul 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved