Android users are concerned about security. According to a recent BetaNews article, more than 90 percent of users agree that mobile security is important, and two-thirds say they know of specific weaknesses on the Android platform. But worry doesn’t equal action, with almost half of those polled either not using or unsure if they’re using any kind of security app on their phone.
All of that may change, however, with the discovery of a new Android vulnerability baked into every device on the market thanks to Google’s native StageFright media player. Now, the company is racing to implement patches before malicious actors take center stage.
Android Vulnerabilities Are Scary Stuff
A Threatpost piece speculated that the StageFright vulnerability could be “the mobile world’s equivalent to Heartbleed.” Why? First is sheer volume; there are more than 950 million devices running StageFright worldwide. Next is patch distribution. Because Google can’t simply push through a total-OS patch like Apple, the search giant has to work through multiple carriers. Then there’s the vulnerability itself, which has been present since Android version 2.2 right up to the latest release of Lollipop.
The issue centers around StageFright, a native Google app used to manage media playback. According to Joshua Drake of security firm Zimperium zLabs, StageFright is an overprivileged app that often gets system access and runs what Drake describes as “dangerous, risky code.” Instead of being sandboxed to support security, however, the app is given Internet access. The result? Cybercriminals in possession of mobile users’ phone numbers can send malware-laden texts and exploit this inherent Android vulnerability.
It gets worse, since the exploit actually happens before a text message or Google Hangouts request is opened by users. In many cases, it’s possible to delete the MMS itself, leaving a notification but no attached message. While there are some steps users can take to mitigate the problem, such as disabling automatic downloads of text messages in Google Hangouts, in many cases, they won’t know they’re under attack until their device is compromised.
According to CSO Online, attackers are then able to execute code, access both the Internet and local files and even listen to the microphone. Patches have been developed; Drake and Zimperium gave Google a 90-day window to fix the issue, in compliance with the company’s own Project Zero disclosure guidelines. Unfortunately, there’s no easy way to determine if devices are vulnerable, so users are best protected by updating to the latest Android version as soon as possible.
While it’s tempting to see the new Android vulnerability as both terrifying and aggressive, this kind of exploit is actually par for the course. For example, HP recently reported that 100 percent of smartwatches come with serious security flaws, largely related to multiple data transmission sites. On the face, this is a crippling statistic, but the smartwatch industry won’t collapse any more than Android will suddenly become a defunct OS.
Does StageFright have too-high access privileges? Absolutely. Is this a wide-ranging problem? Definitely. But early discovery coupled with aggressive patch development has largely rendered this flaw null and void — and given users a reason to pay more than lip service to the idea of mobile security.