Story image

Android security flaw found in 950 million devices

20 Aug 15

A new security flaw known as Stagefright has been found in 95% of Android devices. The vulnerability allows attackers to steal information through remotely executed code via a maliciously crafted multimedia messaging services (MMS).

Dubbed one of the largest Android vulnerabilities to date, it has been estimated that 950 million devices worldwide are vulnerable to Stagefright.

In light of this, ESET has launched a free app on Google Play to help Android users detect Stagefright on their devices.

"Asia Pacific has one of the highest Android mobile users in the world, making the region a prime target for cyber hackers.

“Mobile users should always remember to follow cyber security best practices, such as avoiding clicking on messages or links from suspicious sources and updating their operating system software regularly," says Parvinder Walia, ESET Asia Pacific sales director.

"We hope that more consumers will download the app as a proactive measure to secure their devices,” he says.

ESET has summarised additional information for consumers and businesses about Stagefright in the following FAQ:

Is Stagefright really the worst of all Android vulnerabilities?

It is difficult to label a vulnerability as being the worst because the basis for this attribution varies. Some considerations include, the number of devices affected, the ease with which devices are compromised, and amount of exploits in the wild.

However, with 950 million users of Android devices potentially affected and a failed attempt by Google to fix the issues, users should take Stagefright more seriously than other commonplace vulnerabilities.

How does this vulnerability work and why is it called Stagefright?

Amongst the thousands of lines in the source code of Android, there is a media library called Stagefright in charge of managing multimedia formats that allow users to playback videos and music on their Android devices.

Attackers exploit Stagefright by crafting malicious MMS messages that are sent to victims. In these cases, the only information required for highly targeted attacks is the victim's phone number.

In some instances, devices can be compromised, even when users do not play or watch the actual message content. Simply viewing the MMS can affect the device. With Google Hangouts, however, it is possible for devices to be compromised almost instantly even notifications are viewed.

Which versions of Android are vulnerable?

According to investigations, all versions of Android from Froyo (2.2) inclusive are vulnerable. This means that 95% of Android devices, or about 950 million users worldwide, are susceptible to the exploit.

In addition, versions prior to Jelly Bean are at higher risk, since they do not incorporate the appropriate mitigations.

How can users protect their devices?

ESET recommends users check with their vendors whether a patch for their Android device already exists and deactivate the short message service (SMS) auto retrieve function for Messenger and Hangout applications.

Users should also take extra precautions and check whether their devices are vulnerable with the ESET Stagefright Detector App and stay alert for new information regarding this topic.

NZ’s $3.45bil IT services market fueled by competitive advantage
"With regards to cloud adoption, organisations are prioritising innovation and security over cost and scalability.”
The secret to scaling DevOps in the digital era
"Organisations around the world have learnt at a cost that while agile DevOps methodologies can result in improved outcomes within teams and projects, they have a propensity to fail miserably."
APAC FinTech network launches to encourage cross-border innovation
Nine associations formally launched the network by signing a Statement of Intent at the Asian Financial Forum event in Hong Kong.
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Kiwis make waves in IoT World Cup
A New Zealand company, KotahiNet, has been named as a finalist in the IoT World Cup for its River Pollution Monitoring solution.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
SUSE partners with Intel and SAP to accelerate IT transformation
SUSE announced support for Intel Optane DC persistent memory with SAP HANA.