A full 95 percent of all Android devices -- that's about 950 million smartphones, tablets and other mobile gadgets -- are at risk from one of "the worst Android vulnerabilities discovered to date," according to enterprise mobile security firm Zimperium. The security flaw, enabled by the Android operating system's Stagefright media library, could allow hackers to access devices without users ever realizing that they've been compromised.
Because Stagefright is used for time-sensitive media processing on devices, it's implemented using C++ code rather than a more "memory-safe" language such as Java, Zimperium noted today in a blog post on its Web site. However, that code leaves it more vulnerable to memory corruption and can open up devices to potential hack attacks that can gain remote access through media files delivered by MMS (multimedia messaging service) text messages.
Zimperium said it has reported the vulnerability to Google and also submitted patches for the flaw. While Google "acted promptly and applied the patches to internal code branches within 48 hours," many millions of Android device users might not see security updates for months, if at all.
'Much Worse' than Heartbleed
"We thank [Zimperium zLabs researcher] Joshua Drake for his contributions," a Google spokesperson told us today. "The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device."
The spokesperson added, "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."
The Stagefright flaw opens vulnerabilities for devices running Android version 2.2 and up, according to Drake's findings. Most at risk are devices using Android Jelly Bean (versions 4.1 through 4.3.1), which covers about 11 percent of all Android devices, due to "inadequate exploit mitigations."
"If 'Heartbleed' from the PC era sends chill down your spine, this is much worse," the Zimperium blog post noted. The targets for this attack can be anyone from prime ministers, ministers, executives of companies, security officers to IT managers and more, with the potential to spread like a virus."
Open Source but Hands Off
Google said Android's open source foundation ensures strong security by making it possible for anyone to look for and identify potential security risks. The company also encourages researchers to look for vulnerabilities through programs such as its Android Security Rewards Program, launched earlier this year, and its Google Patch Rewards program, kicked off in 2014.
Competitors such as Microsoft, however, have criticized Google for its less-than-completely-hands-on approach to security updates. Android system and security updates are often handled by device manufacturers or network carriers rather than by Google itself.
As of June 1, Google's Android developer dashboard indicated that the majority of device users -- 39.2 percent -- are running KitKat (Android 4.4). Jelly Bean (shown above) is the second-most widely used flavor of Android, with a total of 37.2 percent of Android users.
Updates for Android devices have traditionally taken a long time to reach users, and devices older than 18 months are unlikely to even receive an update, Zimperium noted on its blog, adding that it hoped users "recognize the severity of these issues and take immediate action." End users and enterprises should contact their device manufacturers or mobile carriers, the company said.