July 29, 2015 By Douglas Bonderud 2 min read

Android users are concerned about security. According to a recent BetaNews article, more than 90 percent of users agree that mobile security is important, and two-thirds say they know of specific weaknesses on the Android platform. But worry doesn’t equal action, with almost half of those polled either not using or unsure if they’re using any kind of security app on their phone.

All of that may change, however, with the discovery of a new Android vulnerability baked into every device on the market thanks to Google’s native StageFright media player. Now, the company is racing to implement patches before malicious actors take center stage.

Android Vulnerabilities Are Scary Stuff

A Threatpost piece speculated that the StageFright vulnerability could be “the mobile world’s equivalent to Heartbleed.” Why? First is sheer volume; there are more than 950 million devices running StageFright worldwide. Next is patch distribution. Because Google can’t simply push through a total-OS patch like Apple, the search giant has to work through multiple carriers. Then there’s the vulnerability itself, which has been present since Android version 2.2 right up to the latest release of Lollipop.

The issue centers around StageFright, a native Google app used to manage media playback. According to Joshua Drake of security firm Zimperium zLabs, StageFright is an overprivileged app that often gets system access and runs what Drake describes as “dangerous, risky code.” Instead of being sandboxed to support security, however, the app is given Internet access. The result? Cybercriminals in possession of mobile users’ phone numbers can send malware-laden texts and exploit this inherent Android vulnerability.

Standing Exploitation?

It gets worse, since the exploit actually happens before a text message or Google Hangouts request is opened by users. In many cases, it’s possible to delete the MMS itself, leaving a notification but no attached message. While there are some steps users can take to mitigate the problem, such as disabling automatic downloads of text messages in Google Hangouts, in many cases, they won’t know they’re under attack until their device is compromised.

According to CSO Online, attackers are then able to execute code, access both the Internet and local files and even listen to the microphone. Patches have been developed; Drake and Zimperium gave Google a 90-day window to fix the issue, in compliance with the company’s own Project Zero disclosure guidelines. Unfortunately, there’s no easy way to determine if devices are vulnerable, so users are best protected by updating to the latest Android version as soon as possible.

While it’s tempting to see the new Android vulnerability as both terrifying and aggressive, this kind of exploit is actually par for the course. For example, HP recently reported that 100 percent of smartwatches come with serious security flaws, largely related to multiple data transmission sites. On the face, this is a crippling statistic, but the smartwatch industry won’t collapse any more than Android will suddenly become a defunct OS.

Does StageFright have too-high access privileges? Absolutely. Is this a wide-ranging problem? Definitely. But early discovery coupled with aggressive patch development has largely rendered this flaw null and void — and given users a reason to pay more than lip service to the idea of mobile security.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today