Android Stagefright Flaws Put 950 Million Devices at Risk

Source: Threat Post

Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world’s equivalent to Heartbleed. Almost all Android devices contain the security and implementation issues in question; unpatched devices are at risk to straightforward attacks against specific users that put their privacy, data and safety at risk.

Google has patched internal code branches, but devices require over-the-air updates and given the shaky history of handset manufacturers and carriers pushing out security fixes, it’s unknown how long it will take to update vulnerable devices, or whether some will ever get fixed. Silent Circle has patched its Blackphone against the vulnerabilities, as has Mozilla, which uses Stagefright code in Firefox.

The flaws have been in Android since—and including—version 2.2; devices running Android versions older than Jelly Bean (4.2) are at greater risk since they lack exploit mitigations that have been built into newer versions of the OS.

Researcher Joshua Drake, vice president of platform research and exploitation at Zimperium zLabs, said exploits could be particularly insidious given the fact that an attacker need only use a malicious MMS message that could trigger the vulnerability without user interaction, and delete the message before the victim is aware. All an attacker would need, Drake said, is the device’s phone number.


Read more: https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960