News Stay informed about the latest enterprise technology news and product updates.

Android Stagefright 2.0 affects all 1.4 billion Android devices

The Android Stagefright vulnerability has been updated to version 2.0, as the original researcher found the flaw in all versions of Android released to date. Google has promised a fix within days.

Two new Stagefright vulnerabilities, affecting all released versions of Android, were disclosed by Joshua Drake,...

vice president of platform research and exploitation at Zimperium Inc., based in San Francisco. One vulnerability affects versions all the way back to Android 1.0, and one affects versions 5.x. Drake did the original research that showed Android Stagefright would affect Android versions 2.2 and newer.

According to Zimperium, the Android Stagefright vulnerabilities could allow an attacker to send a file that appears to be an MP3 or MP4, but will execute malicious code when the metadata for that file is previewed. If the file is provided via a malicious website, this code could be executed without the user ever knowing.

On Monday, Google announced that there were more than 1.4 billion Android devices in active use around the world, and this news would mean all of those devices are potentially at risk.

It is unclear though how much more dangerous Android Stagefright vulnerabilities are for users in light of these new disclosures. As Google noted when the original news came out, Android versions 4.1 and higher use address space layout randomization (ASLR), which greatly reduces the likelihood of a successful exploit, and Android versions 5.0 and higher make ASLR even stronger by requiring position-independent executable (PIE) for all dynamically linked executables.

Google's latest Android platform version numbers show 92% of all active Android devices use versions 4.1 and higher -- 21% are on Android 5.0 or higher -- meaning there are still approximately 112 million devices that are both at risk and do not have the added protection of ASLR or PIE.

Google said it has not received any reports of active exploitation of these vulnerabilities, but Tyler Shields, senior analyst at Forrester Research Inc. in Cambridge, Mass., said that ASLR can still be bypassed and it is very difficult to know if you have been a victim of exploitation with Stagefright.

"A well-formulated exploit would result in a backdoor on the targeted device, without the end user even knowing that the attack occurred," Shields said. "Compromise is relatively simple and can be sent in via multiple different inbound vectors. The exploit code is out there and available today, it's just a matter of choosing your target and firing."

Google said that it has been in contact with Zimperium throughout the process, and has since updated its Hangouts and Messenger apps, so they will not automatically pass media to vulnerable processes. Additionally, fixes for the new vulnerabilities will be released to Nexus users and the Android Open Source Project codebase as part of the next monthly security update due out on Oct. 5. Also, the patches were seeded to manufacturers as of Sept. 10, so they could get those fixes out to other Android users.

Shields said that the biggest problem for Google is not the exploit itself or the multiple vectors for attack, but that it is unknown when or if users will get the patches that Google has seeded to manufacturers.

"The problem is the time to remediation is not manageable. The supply chain that each patch has to go through before it hits the consumer is way too long, prone to push back and problems, and makes it nearly impossible for security to be quickly implemented," Shields said. "Google has got to get a better handle on the security patching process for all handsets, regardless of what the OEM vendors want. The security of the consumer is paramount."

Next Steps

Learn more about the fundamentals of Android app security

Set Android security controls

Take the quiz and see how much you know about Android security

How to prevent Android attacks

 

 

Dig Deeper on Mobile security threats and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What mobile security policies does your organization employ to mitigate risks like those associated with Stagefright?
Cancel
Our mitigation strategy has focused more on trying to keep user’s devices up to date by making it easier for them to regularly upgrade their devices, and hasn’t really focused on specific security risks.
Cancel
Do you mean getting new devices on a regular basis? If so, how often do you allow for upgrades?
Cancel
It would be nice if the different manufacturers would take this as a sign that they need to stop putting their own stamp on the Android operating system, and just roll production with the current stock version. Their insistence on branding Android for their devices puts an unnecessary delay in the remediation process and, with mobile devices becoming increasingly relied upon by businesses, the delay is also becoming unacceptable.
Cancel
Given that we're about 8 years into Android's lifecycle, it seems very unlikely that manufacturers will suddenly start to choose stock Android over differentiation. Maybe instead it's time for enterprises to go with a Nexus-only Android policy?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close