850 million Android devices still at risk of hijack by Stagefright bug

Security researchers say fragmented manner of Android operating system restricts protections against bug.
Written by Danny Palmer, Senior Writer

Hundreds of millions of devices are still at risk from Stagefright

Image: Zimperium

Over 850 million Android devices are still potentially at threat from the notorious Stagefright vulnerability, leaving large swathes of smartphones and tablets at risk from hijacking via malware injections.

Stagefight first came to light last year after it was discovered by Zimperium researcher Joshua Drake and the bug was dubbed one of the "worst Android vulnerabilities discovered to date".

The vulnerability is capable of attacking any Android device running Android 2.2 or higher and allows attackers to hijack of a device without the user even being aware. It does so just by taking advantage of Android's built-in media library, which can be triggered to run malicious code capable of giving the hacker access to all the user's files.

Google has continuously released patches, updates and other fixes since the severity of the vulnerability came to light, but writing in a blog post titled 'Reflecting on Stagefright Patches', researchers at Zimperium have warned that hundreds of millions of smartphones and tablets running the Android operating system still remain vulnerable to the security flaw.

In total, the mobile security firm believes between 600 million and 857 million of the estimated 1.4 billion to 2 billion Android devices in the world still remain vulnerable. The figures are based on an analysis of Android devices, 43 percent of which were deemed to still be vulnerable to bug CVE-2015-3864, despite updates by Google.

Part of the problem, researchers claim, stems from how vendors are shipping updates designed to patch Stagefright, but in fact then expose users to other strains of the vulnerability. Sony, Motorola, Samsung, Asus, LG and Huawei have all inadvertently made this error, potentially increasing the potential for users to be attacked, rather than decreasing it.

Zimperium also raise concerns over new Stagefight vulnerabilities - such as Metaphor, which was discovered earlier this month - which are slow to get patched because only a small number of devices receive an update at any one time.

Google is looking to fix this issue with the introduction of Android N, but zLabs researchers point out "it will take a few years before the entire ecosystem will be running Android N+".

There's also the issue of updates not being applied to older Android devices, incapable of running newer versions of the OS, which means they'll remain vulnerable to attack as they're unable to receive patches.

Devices also remain unpatched due to the fragmented nature of the Android ecosystem in which a large number of handset providers operate. Whilst Google remains committed to releasing monthly updates to ensure protection against Stagefright, vendors can be slow to approve and implement the upgrades, leaving their users wide open to becoming victims.

The firm also advises carriers and instant messaging vendors to "to be prepared to block SMS messages with links in the event that a worm begins spreading".


Editorial standards