Story image

Android security flaw found in 950 million devices

By Catherine Knowles, Thu 20 Aug 2015
FYI, this story is more than a year old

A new security flaw known as Stagefright has been found in 95% of Android devices. The vulnerability allows attackers to steal information through remotely executed code via a maliciously crafted multimedia messaging services (MMS).

Dubbed one of the largest Android vulnerabilities to date, it has been estimated that 950 million devices worldwide are vulnerable to Stagefright.

In light of this, ESET has launched a free app on Google Play to help Android users detect Stagefright on their devices.

"Asia Pacific has one of the highest Android mobile users in the world, making the region a prime target for cyber hackers.

“Mobile users should always remember to follow cyber security best practices, such as avoiding clicking on messages or links from suspicious sources and updating their operating system software regularly," says Parvinder Walia, ESET Asia Pacific sales director.

"We hope that more consumers will download the app as a proactive measure to secure their devices,” he says.

ESET has summarised additional information for consumers and businesses about Stagefright in the following FAQ:

Is Stagefright really the worst of all Android vulnerabilities?

It is difficult to label a vulnerability as being the worst because the basis for this attribution varies. Some considerations include, the number of devices affected, the ease with which devices are compromised, and amount of exploits in the wild.

However, with 950 million users of Android devices potentially affected and a failed attempt by Google to fix the issues, users should take Stagefright more seriously than other commonplace vulnerabilities.

How does this vulnerability work and why is it called Stagefright?

Amongst the thousands of lines in the source code of Android, there is a media library called Stagefright in charge of managing multimedia formats that allow users to playback videos and music on their Android devices.

Attackers exploit Stagefright by crafting malicious MMS messages that are sent to victims. In these cases, the only information required for highly targeted attacks is the victim's phone number.

In some instances, devices can be compromised, even when users do not play or watch the actual message content. Simply viewing the MMS can affect the device. With Google Hangouts, however, it is possible for devices to be compromised almost instantly even notifications are viewed.

Which versions of Android are vulnerable?

According to investigations, all versions of Android from Froyo (2.2) inclusive are vulnerable. This means that 95% of Android devices, or about 950 million users worldwide, are susceptible to the exploit.

In addition, versions prior to Jelly Bean are at higher risk, since they do not incorporate the appropriate mitigations.

How can users protect their devices?

ESET recommends users check with their vendors whether a patch for their Android device already exists and deactivate the short message service (SMS) auto retrieve function for Messenger and Hangout applications.

Users should also take extra precautions and check whether their devices are vulnerable with the ESET Stagefright Detector App and stay alert for new information regarding this topic.

Recent stories
More stories