July 29, 2015 By Douglas Bonderud 2 min read

Android users are concerned about security. According to a recent BetaNews article, more than 90 percent of users agree that mobile security is important, and two-thirds say they know of specific weaknesses on the Android platform. But worry doesn’t equal action, with almost half of those polled either not using or unsure if they’re using any kind of security app on their phone.

All of that may change, however, with the discovery of a new Android vulnerability baked into every device on the market thanks to Google’s native StageFright media player. Now, the company is racing to implement patches before malicious actors take center stage.

Android Vulnerabilities Are Scary Stuff

A Threatpost piece speculated that the StageFright vulnerability could be “the mobile world’s equivalent to Heartbleed.” Why? First is sheer volume; there are more than 950 million devices running StageFright worldwide. Next is patch distribution. Because Google can’t simply push through a total-OS patch like Apple, the search giant has to work through multiple carriers. Then there’s the vulnerability itself, which has been present since Android version 2.2 right up to the latest release of Lollipop.

The issue centers around StageFright, a native Google app used to manage media playback. According to Joshua Drake of security firm Zimperium zLabs, StageFright is an overprivileged app that often gets system access and runs what Drake describes as “dangerous, risky code.” Instead of being sandboxed to support security, however, the app is given Internet access. The result? Cybercriminals in possession of mobile users’ phone numbers can send malware-laden texts and exploit this inherent Android vulnerability.

Standing Exploitation?

It gets worse, since the exploit actually happens before a text message or Google Hangouts request is opened by users. In many cases, it’s possible to delete the MMS itself, leaving a notification but no attached message. While there are some steps users can take to mitigate the problem, such as disabling automatic downloads of text messages in Google Hangouts, in many cases, they won’t know they’re under attack until their device is compromised.

According to CSO Online, attackers are then able to execute code, access both the Internet and local files and even listen to the microphone. Patches have been developed; Drake and Zimperium gave Google a 90-day window to fix the issue, in compliance with the company’s own Project Zero disclosure guidelines. Unfortunately, there’s no easy way to determine if devices are vulnerable, so users are best protected by updating to the latest Android version as soon as possible.

While it’s tempting to see the new Android vulnerability as both terrifying and aggressive, this kind of exploit is actually par for the course. For example, HP recently reported that 100 percent of smartwatches come with serious security flaws, largely related to multiple data transmission sites. On the face, this is a crippling statistic, but the smartwatch industry won’t collapse any more than Android will suddenly become a defunct OS.

Does StageFright have too-high access privileges? Absolutely. Is this a wide-ranging problem? Definitely. But early discovery coupled with aggressive patch development has largely rendered this flaw null and void — and given users a reason to pay more than lip service to the idea of mobile security.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today