July 29, 2015 By Douglas Bonderud 2 min read

Android users are concerned about security. According to a recent BetaNews article, more than 90 percent of users agree that mobile security is important, and two-thirds say they know of specific weaknesses on the Android platform. But worry doesn’t equal action, with almost half of those polled either not using or unsure if they’re using any kind of security app on their phone.

All of that may change, however, with the discovery of a new Android vulnerability baked into every device on the market thanks to Google’s native StageFright media player. Now, the company is racing to implement patches before malicious actors take center stage.

Android Vulnerabilities Are Scary Stuff

A Threatpost piece speculated that the StageFright vulnerability could be “the mobile world’s equivalent to Heartbleed.” Why? First is sheer volume; there are more than 950 million devices running StageFright worldwide. Next is patch distribution. Because Google can’t simply push through a total-OS patch like Apple, the search giant has to work through multiple carriers. Then there’s the vulnerability itself, which has been present since Android version 2.2 right up to the latest release of Lollipop.

The issue centers around StageFright, a native Google app used to manage media playback. According to Joshua Drake of security firm Zimperium zLabs, StageFright is an overprivileged app that often gets system access and runs what Drake describes as “dangerous, risky code.” Instead of being sandboxed to support security, however, the app is given Internet access. The result? Cybercriminals in possession of mobile users’ phone numbers can send malware-laden texts and exploit this inherent Android vulnerability.

Standing Exploitation?

It gets worse, since the exploit actually happens before a text message or Google Hangouts request is opened by users. In many cases, it’s possible to delete the MMS itself, leaving a notification but no attached message. While there are some steps users can take to mitigate the problem, such as disabling automatic downloads of text messages in Google Hangouts, in many cases, they won’t know they’re under attack until their device is compromised.

According to CSO Online, attackers are then able to execute code, access both the Internet and local files and even listen to the microphone. Patches have been developed; Drake and Zimperium gave Google a 90-day window to fix the issue, in compliance with the company’s own Project Zero disclosure guidelines. Unfortunately, there’s no easy way to determine if devices are vulnerable, so users are best protected by updating to the latest Android version as soon as possible.

While it’s tempting to see the new Android vulnerability as both terrifying and aggressive, this kind of exploit is actually par for the course. For example, HP recently reported that 100 percent of smartwatches come with serious security flaws, largely related to multiple data transmission sites. On the face, this is a crippling statistic, but the smartwatch industry won’t collapse any more than Android will suddenly become a defunct OS.

Does StageFright have too-high access privileges? Absolutely. Is this a wide-ranging problem? Definitely. But early discovery coupled with aggressive patch development has largely rendered this flaw null and void — and given users a reason to pay more than lip service to the idea of mobile security.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today