Stagefright: The Show Must Go On

By Jonathan Ross ·

Back in April, Joshua Drake at Zimperium zLabs discovered that Android carries one of the biggest flaws ever found in Google’s mobile operating system. The flaw is within Stagefright, an over-permissioned media processing mechanism that will automatically pre-load various media types received by the device. In this case, the user receives a malicious video or picture via MMS (text message) that Stagefright will process without any interaction by the user. The malware that is loaded onto the device can then delete the original infecting MMS message, except the notification, which is typically dismissed by the user.

The flaw is found in all versions of Android back to 2.2, which has put nearly one billion devices at risk, but the level of risk can vary as certain devices provide Stagefright system level access. Once the exploit is complete, the malware can access the user’s saved media files (or worse, on certain devices), and can also enable the microphone and camera without the user’s knowledge.

Zimperium has already sent patches to Google, which is currently working on a mass deployment plan. However, if a device is more than two years old, it is not likely to receive a patch. End users are encouraged to contact their device manufacturer and/or cellular carrier to confirm if their device will receive an update. This threat has put yet another bright spotlight on the emerging threats to mobile devices that are not deemed “compromised” in the traditional sense of being jailbroken or rooted. Every organization should treat their fleet of mobile devices as vulnerable endpoints, and should deploy them with a solution that can detect new, advanced threats.