Android Stagefright Vulnerability Puts 950M Devices at Risk

A full 95 percent of all Android devices -- that's about 950 million smartphones, tablets and other mobile gadgets -- are at risk from one of "the worst Android vulnerabilities discovered to date," according to enterprise mobile security firm Zimperium. The security flaw, enabled by the Android operating system's Stagefright media library, could allow hackers to access devices without users ever realizing that they've been compromised.

Because Stagefright is used for time-sensitive media processing on devices, it's implemented using C++ code rather than a more "memory-safe" language such as Java, Zimperium noted today in a blog post on its Web site. However, that code leaves it more vulnerable to memory corruption and can open up devices to potential hack attacks that can gain remote access through media files delivered by MMS (multimedia messaging service) text messages.

Zimperium said it has reported the vulnerability to Google and also submitted patches for the flaw. While Google "acted promptly and applied the patches to internal code branches within 48 hours," many millions of Android device users might not see security updates for months, if at all.

'Much Worse' than Heartbleed

"We thank [Zimperium zLabs researcher] Joshua Drake for his contributions," a Google spokesperson told us today. "The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device."

The spokesperson added, "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."

The Stagefright flaw opens vulnerabilities for devices running Android version 2.2 and up, according to Drake's findings. Most at risk are devices using Android Jelly Bean (versions 4.1 through...

Comments are closed.