The StageFright Vulnerability: Maybe the greatest Android vulnerability (so far)

This vulnerability is epic and, perhaps, a huge warning about what's ahead.

Here’s a nightmare scenario: A simple smartphone exploit that doesn’t require the user to do anything other than receive a text message. If such a thing worries you (and, if you’re an IT manager, in a shop that allows BYOD, it should) then there’s bad news for you: Such an exploit exists for, it estimated, roughly 95% of Android smartphones which runs roughly 82% of the world’s estimated 1.91 billion smartphones.

Discovered by Joshua J. Drake, VP of Platform Research and Exploitation for Zimperium zLabs, the StageFright Vulnerability is unusually effective for attacking unpatched systems:

Built on tens of gigabytes of source code from the Android Open Source Project (AOSP), the leading smartphone operating system carries a scary code in its heart. Named Stagefright, it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java … These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices.

The company explains:

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

The implications of this vulnerability are enormous because while you can patch your Android device to make it immune to StageFright, you’re not the problem … it’s the millions of other users out there who won’t get around to patching because they either don’t know about the issue or they don’t care. 

Anyway, to learn more about the StageFright Vulnerability check out the following:

 If you're in a BYOD environment, good luck. While it appears that no one has (so far) detected that the vulnerability has been exploited, that doesn't mean it hasn't.


Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022