If you thought Heartbleed was bad, then Stagefright is much worse

28 Jul 2015

If you are one of the nearly 1bn people using an Android phone, it’s probably best that you go into your settings and disable automatic multimedia messaging service (MMS) downloads following the discovery of the vulnerability called Stagefright.

The vulnerability is being described as “extremely dangerous” by security experts and now Stagefright is being touted as perhaps the worst security vulnerability in Android’s history.

The flaw, discovered by Zimperium Security, appears to reveal that a virus could be sent to the Android user through MMS without the user needing to accept the image due to a piece of “scary code”.

The issue lies with the fact that, when it comes to media processing, the Android code contains more error-prone C++ code in order to speed its downloading, rather than more-encrypted code like Java.

As a result, if you are to receive the malicious MMS as a notification on your Android phone you can, without warning or knowledge, already have the virus on your phone with no available course of action to take.

Stagefright screenshots

Screenshots of how the Stagefright virus appears. Image via Zimperium

Worse than Heartbleed

If not, then opening the link or interacting with the video in any way triggers the virus to download on to the phone repeatedly with every touch.

All Android phones running Android 2.2 (Froyo) and above are affected by Stagefright, with those using ones prior to Jelly Bean the most at risk.

“If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse,” Zimperium said in its blog on the subject.

Despite Zimperium doing its white-hat duties and informing Google, which has now patched the vulnerability, many Android users are still vulnerable.

However, the fact that distribution of updates are sent by mobile network operators or hardware manufacturers means that there is no unified launch of a patch due.

In the meantime, Android users have been advised to go into their settings and disable automatic downloads of MMS manually in their settings.

Google’s statement on the matter is that, given the limitations of releasing the patch, its own Nexus devices will be receiving the update first.

“As part of a regularly-scheduled security update we plan to push further safeguards to Nexus devices starting next week,” the statement said. “And we’ll be releasing it in open source when the details are made public by the researcher at Black Hat.”

Stage image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com