Vast Majority Of Android Devices Are Vulnerable To 'Stagefright' Exploit

In a blog post published today by the researchers at Zimperium Mobile Security, the group divulged an extremely widespread security vulnerability that can be exploited with nothing more than a targeted MMS message. The hole exists in the part of the Android operating system called Stagefright, which handles the processing of certain types of multimedia.

Vast Majority Of Android Devices Are Vulnerable To 'Stagefright' Exploit That Can Be Executed Via Text Message, According To Researchers

This is very serious.

If targeted, the hypothetical hacker needs only to send an MMS message, which in many cases doesn't even need to be read before the attacker gains access to the victim's microphone and camera. The file will contain malicious code that executes by taking advantage of the problems in the Stagefright codebase. In the worst case, Zimperium says, the attacker could remove any trace of the offending MMS before the end user is every made aware that one is received.

It seems this just hit the wires within the last 24 hours and almost a billion devices running android from 2.2 up are vulnerable to this exploit. I've read that google has pushed out a fixed media.stagefright library fix to major phone vendors but pushing that to the phones may be difficult. I have a rooted phone and I'm going to try and flag some buildprop settings to false for that library and see if I end up with a bootloop.

Wired
Slashdot
Oneplusone
XDA
Hackernews
Forbes

a reply to: mockingmay

Anyone who uses a cell phone is vulnerable to this type of exploit , Have you read the "access agreement " on that FB app or that Chrome browser ? now days everyone is unsafe .


My self personally , I keep anything of importance stored on an external HD , Or flash drive ....

a reply to: Kapusta

That reminds me.. I think Firefox is effected to. I forget which versions. Anyways Yes.. I store nothing on the cloud except my personal owncloud hosted on my server with encryption both in owncloud and locally. Overkill who cares, better safe than sorry.

a reply to: mockingmay

I thought this was already posted.

a reply to: reldra

If it was I didn't see it. I did a quick search for "stagefright android" which is the exploitable library in android.

a reply to: mockingmay

I made have read it else where, but it is for both IOS and Android Source

Anyone who believes their devices are secure/private are fools.
Laptops, phones, watches, computers.. you name it.

If you have wifi, lan, bluetooth capability on it.. then your legs are open!

Anyone who thinks otherwise is insanely naive!

a reply to: reldra

I didn't know that. Thanks for the link. I did manage to disable it in build.prop on my rooted android. Not sure if that will solve it but tried it anyways.

I hate being that person that creates a thread and walks away but it's 4:42am here. I'll check back on the thread after some sleep.

originally posted by: Agit8dChop
Anyone who believes their devices are secure/private are fools.
Laptops, phones, watches, computers.. you name it.

If you have wifi, lan, bluetooth capability on it.. then your legs are open!

Anyone who thinks otherwise is insanely naive!

I have to agree 100%. It's not conspiracy either, I have worked in IT for over 10 years. The back doors are built into the manufacturer software and also come in the form of patches/firm ware updates. They were built in to give big brother access but a door is a door, you only need the knowledge of its existence and a tool or 2 to exploit it.

Those back doors have turned into a huge black market money machine, pumping wealth from the people without people really even realizing it. (till you get your credit report or apply for a loan)

If it connects to a network or a network capable device, it is not secure.

I have an HTC One M9, which is Android powered. This may be unrelated but, earlier today my phone automatically updated itself. I have it set so it doesn't update anything without my permission. But out of no where it shut down and updated. It took about a half hour from start to finish (without Wi-Fi), and I can't seem to find any changes to anything.

a reply to: MDpvc

Now that's strange. I haven't heard anything about forced updates. If I'm correct there is no way to disable direct OS updates on the android phone. ?!?! I wouldn't be surprised if they do force a fix. Its a small file that needs updated.

BTW, How do you know it updated? Are you using the stock OS?