Top Tech News HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR WEDNESDAY MARCH 29

Close Search Box
Top Tech News
MOBILE TECH
Android Stagefright Vulnerability Puts 950M Devices at Risk
Posted July 27, 2015
Android Stagefright Vulnerability Puts 950M Devices at Risk
Next Story
EARLIER
Apple Watch Making Best Buy Debut in August
THIS STORY
Android Stagefright Vulnerability Puts 950M Devices at Risk
Next Story
LATER
Samsung Monitor Charges Your Phone Wirelessly
YOU ARE HERE:   HOME arrow MOBILE TECH arrow THIS STORY
NEWS OPS

By Shirley Siluk. Updated July 27, 2015 10:39AM

SHARE

ALSO SEE

A full 95 percent of all Android devices -- that's about 950 million smartphones, tablets and other mobile gadgets -- are at risk from one of "the worst Android vulnerabilities discovered to date," according to enterprise mobile security firm Zimperium. The security flaw, enabled by the Android operating system's Stagefright media library, could allow hackers to access devices without users ever realizing that they've been compromised.

Because Stagefright is used for time-sensitive media processing on devices, it's implemented using C++ code rather than a more "memory-safe" language such as Java, Zimperium noted today in a blog post on its Web site. However, that code leaves it more vulnerable to memory corruption and can open up devices to potential hack attacks that can gain remote access through media files delivered by MMS (multimedia messaging service) text messages.

Zimperium said it has reported the vulnerability to Google and also submitted patches for the flaw. While Google "acted promptly and applied the patches to internal code branches within 48 hours," many millions of Android device users might not see security updates for months, if at all.

'Much Worse' than Heartbleed

"We thank [Zimperium zLabs researcher] Joshua Drake for his contributions," a Google spokesperson told us today. "The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device."

The spokesperson added, "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."

The Stagefright flaw opens vulnerabilities for devices running Android version 2.2 and up, according to Drake's findings. Most at risk are devices using Android Jelly Bean (versions 4.1 through 4.3.1), which covers about 11 percent of all Android devices, due to "inadequate exploit mitigations."

"If 'Heartbleed' from the PC era sends chill down your spine, this is much worse," the Zimperium blog post noted. The targets for this attack can be anyone from prime ministers, ministers, executives of companies, security officers to IT managers and more, with the potential to spread like a virus."

Open Source but Hands Off

Google said Android's open source foundation ensures strong security by making it possible for anyone to look for and identify potential security risks. The company also encourages researchers to look for vulnerabilities through programs such as its Android Security Rewards Program, launched earlier this year, and its Google Patch Rewards program, kicked off in 2014.

Competitors such as Microsoft, however, have criticized Google for its less-than-completely-hands-on approach to security updates. Android system and security updates are often handled by device manufacturers or network carriers rather than by Google itself.

As of June 1, Google's Android developer dashboard indicated that the majority of device users -- 39.2 percent -- are running KitKat (Android 4.4). Jelly Bean (shown above) is the second-most widely used flavor of Android, with a total of 37.2 percent of Android users.

Updates for Android devices have traditionally taken a long time to reach users, and devices older than 18 months are unlikely to even receive an update, Zimperium noted on its blog, adding that it hoped users "recognize the severity of these issues and take immediate action." End users and enterprises should contact their device manufacturers or mobile carriers, the company said.

Tell Us What You Think
Comment:

Name:

Ticked:
Posted: 2015-07-29 @ 3:28pm PT
The big problem is that older versions of Android don't get any updates or patches from Google at all any more. Google has virtually abandoned these users to hackers. It's a huge turnoff.

skrambled:
Posted: 2015-07-29 @ 6:45am PT
@LongLiveAndroid is partially correct, but the wireless carriers are also to blame. They hold back on updates, often for several months or even refusing to release them at all, just so they can install their custom bloatware that nobody wants to use anyways.

Michael W. Szkaradek:
Posted: 2015-07-29 @ 6:30am PT
Has anybody ever said who was responsible for creating the Heartbleed and/or StageFright vulnerabilities?

LongLiveAndroid:
Posted: 2015-07-27 @ 12:50pm PT
Google is doing the right thing and setting the software Free. Hardware manufacturers are the problem: some of them breach the licensing terms under which Android is distributed and do not share their source code with their customer. Many more of them lock their devices so that customers cannot update themselves. The economic incentives are obvious: manufacturers will rather sell 950 million new devices and fix the existing 950 million devices for free. We need a rule forcing manufacturers to unlock their bootloaders and to provide the users community with a complete end to end build chain and source code. Then applying the fix becomes trivial. Thank you Google.

MORE IN MOBILE TECH

Next Article >

INSIDE TOP TECH NEWS NETWORK SITES SERVICES BENEFITS