July 29, 2015 By Douglas Bonderud 2 min read

Android users are concerned about security. According to a recent BetaNews article, more than 90 percent of users agree that mobile security is important, and two-thirds say they know of specific weaknesses on the Android platform. But worry doesn’t equal action, with almost half of those polled either not using or unsure if they’re using any kind of security app on their phone.

All of that may change, however, with the discovery of a new Android vulnerability baked into every device on the market thanks to Google’s native StageFright media player. Now, the company is racing to implement patches before malicious actors take center stage.

Android Vulnerabilities Are Scary Stuff

A Threatpost piece speculated that the StageFright vulnerability could be “the mobile world’s equivalent to Heartbleed.” Why? First is sheer volume; there are more than 950 million devices running StageFright worldwide. Next is patch distribution. Because Google can’t simply push through a total-OS patch like Apple, the search giant has to work through multiple carriers. Then there’s the vulnerability itself, which has been present since Android version 2.2 right up to the latest release of Lollipop.

The issue centers around StageFright, a native Google app used to manage media playback. According to Joshua Drake of security firm Zimperium zLabs, StageFright is an overprivileged app that often gets system access and runs what Drake describes as “dangerous, risky code.” Instead of being sandboxed to support security, however, the app is given Internet access. The result? Cybercriminals in possession of mobile users’ phone numbers can send malware-laden texts and exploit this inherent Android vulnerability.

Standing Exploitation?

It gets worse, since the exploit actually happens before a text message or Google Hangouts request is opened by users. In many cases, it’s possible to delete the MMS itself, leaving a notification but no attached message. While there are some steps users can take to mitigate the problem, such as disabling automatic downloads of text messages in Google Hangouts, in many cases, they won’t know they’re under attack until their device is compromised.

According to CSO Online, attackers are then able to execute code, access both the Internet and local files and even listen to the microphone. Patches have been developed; Drake and Zimperium gave Google a 90-day window to fix the issue, in compliance with the company’s own Project Zero disclosure guidelines. Unfortunately, there’s no easy way to determine if devices are vulnerable, so users are best protected by updating to the latest Android version as soon as possible.

While it’s tempting to see the new Android vulnerability as both terrifying and aggressive, this kind of exploit is actually par for the course. For example, HP recently reported that 100 percent of smartwatches come with serious security flaws, largely related to multiple data transmission sites. On the face, this is a crippling statistic, but the smartwatch industry won’t collapse any more than Android will suddenly become a defunct OS.

Does StageFright have too-high access privileges? Absolutely. Is this a wide-ranging problem? Definitely. But early discovery coupled with aggressive patch development has largely rendered this flaw null and void — and given users a reason to pay more than lip service to the idea of mobile security.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today