Stagefright -- the worst Android vulnerability ever dubbed 'heartbleed for mobile'

Nearly 95 percent, or 950 million, Android devices are affected by this 'scary' vulnerability, according to researchers.

FP Staff July 28, 2015 16:09:27 IST
Stagefright -- the worst Android vulnerability ever dubbed 'heartbleed for mobile'

Nearly 95 percent, or 950 million, Android devices carry a "scary" code inside them, according to researchers. Zimperium zLabs has discovered a security bug what it calls to "be the worst Android vulnerabilities discovered to date."

The bug, named 'Stagefright', is actually a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

Stagefright  the worst Android vulnerability ever dubbed heartbleed for mobile

Courtesy: Zimperium zLabs

Zimperium zLabs VP of Platform Research and Exploitation, Joshua J. Drake found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.

Attackers only need to know the target's mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before the user see it. The user will only see the notification.

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone," Drake explained.

Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11 percent of devices) are at the worst risk due to inadequate exploit mitigations.

"If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse," he added.

Upon discovering the Stagefright vulnerability,  Zimperium alerted Google and submitted patches for the problem. Considering severity of the problem, Google acted and applied the patches to internal code branches within 48 hours, but "unfortunately that’s only the beginning of what will be a very lengthy process of update deployment."

Updated Date:

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.

also read

Honda City 2020 road test review: It sets a new benchmark for the segment
News & Analysis

Honda City 2020 road test review: It sets a new benchmark for the segment

The 2020 Honda City feels like a generation change over the current segment dwellers.

Pokémon Unite, a real-time team-based game, officially announced: Here's all we know
News & Analysis

Pokémon Unite, a real-time team-based game, officially announced: Here's all we know

Pokémon Unite will be a free-to-start game on both the Nintendo Switch and mobile.