Story image

Android security flaw found in 950 million devices

20 Aug 2015

A new security flaw known as Stagefright has been found in 95% of Android devices. The vulnerability allows attackers to steal information through remotely executed code via a maliciously crafted multimedia messaging services (MMS).

Dubbed one of the largest Android vulnerabilities to date, it has been estimated that 950 million devices worldwide are vulnerable to Stagefright.

In light of this, ESET has launched a free app on Google Play to help Android users detect Stagefright on their devices.

"Asia Pacific has one of the highest Android mobile users in the world, making the region a prime target for cyber hackers.

“Mobile users should always remember to follow cyber security best practices, such as avoiding clicking on messages or links from suspicious sources and updating their operating system software regularly," says Parvinder Walia, ESET Asia Pacific sales director.

"We hope that more consumers will download the app as a proactive measure to secure their devices,” he says.

ESET has summarised additional information for consumers and businesses about Stagefright in the following FAQ:

Is Stagefright really the worst of all Android vulnerabilities?

It is difficult to label a vulnerability as being the worst because the basis for this attribution varies. Some considerations include, the number of devices affected, the ease with which devices are compromised, and amount of exploits in the wild.

However, with 950 million users of Android devices potentially affected and a failed attempt by Google to fix the issues, users should take Stagefright more seriously than other commonplace vulnerabilities.

How does this vulnerability work and why is it called Stagefright?

Amongst the thousands of lines in the source code of Android, there is a media library called Stagefright in charge of managing multimedia formats that allow users to playback videos and music on their Android devices.

Attackers exploit Stagefright by crafting malicious MMS messages that are sent to victims. In these cases, the only information required for highly targeted attacks is the victim's phone number.

In some instances, devices can be compromised, even when users do not play or watch the actual message content. Simply viewing the MMS can affect the device. With Google Hangouts, however, it is possible for devices to be compromised almost instantly even notifications are viewed.

Which versions of Android are vulnerable?

According to investigations, all versions of Android from Froyo (2.2) inclusive are vulnerable. This means that 95% of Android devices, or about 950 million users worldwide, are susceptible to the exploit.

In addition, versions prior to Jelly Bean are at higher risk, since they do not incorporate the appropriate mitigations.

How can users protect their devices?

ESET recommends users check with their vendors whether a patch for their Android device already exists and deactivate the short message service (SMS) auto retrieve function for Messenger and Hangout applications.

Users should also take extra precautions and check whether their devices are vulnerable with the ESET Stagefright Detector App and stay alert for new information regarding this topic.

Yamaha unveils simplified UC deployments
"In this fast-paced world, meeting participants need to be able to feel comfortable and hear those on the far end clearly to brainstorm new ideas and accomplish goals."
French cloud giant sets up shop in two APAC data centres
OVH Infrastructure has expanded its public cloud services in the Asia Pacific (APAC) market operating from two data centres within the region.
Jobs of the future: Will humans outmatch AI co-workers
"Regardless of how the workforce changes, automation, data and algorithms will complement rather than replace human employees."
How IBM’s acquisition of Red Hat could impact your business
The acquisition is pending regulatory approval, but IBM expects the deal to close in the second half of 2019. 
SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Google doubles down on hybrid cloud strategy
CSP is a platform that aims to simplify building, running, and managing services both on-premise and in the cloud.
Why NSP adoption of ECX Fabric is on the rise
ECX Fabric aims to enable networks to streamline their access to the world’s largest cloud providers.
Cloud data warehouse trends and best practices
"TDWI sees a wide range of data-driven IT systems moving to the cloud aggressively, and this includes the data warehouse."