Stagefright Reveals Android’s Biggest Security Flaw

Five Reasons Why Information Security Is Everyone’s Job

I am a devoted Android user. I’ve never kidded myself about the flaws in the platform or about the malware hiding in countless apps. I do wish the folks at Google would get their act together when it comes to monitoring the apps made for the OS, but I don’t see that day coming any time soon.

For the most part, I pay a little more attention to any news about Android security flaws than I do for other platforms, because they could potentially affect me and my devices. But since I’m pretty security conscious, I do so mainly to be informed (and to inform my readers). I don’t worry about them too much.

However, the recently announced Stagefright vulnerability has me a little concerned.

Joshua J. Drake, VP of platform research and exploitation with Zimperium zLabs, is credited with the discovery of this latest Android vulnerability. According to the company’s blog, what makes this vulnerability so nasty is that the user doesn’t have to do anything to trigger an attack:

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

I’ve seen articles that have called Stagefright the “Heartbleed of Mobile Devices;” however, Zimperium believes this vulnerability is much worse. Nearly a billion users are at risk by doing nothing.

What I find troublesome is how slowly the vulnerability has been addressed, and that has revealed a bigger security problem in Android than its lack of supervision over apps. As Andrew Blaich, lead security analyst for mobile app security firm Bluebox, said in an email comment to me:

Unfortunately, patching the eco-system of Android devices is a time intensive task that has an extremely long tail due to the nature of how updates are created and released from manufacturers to cellular carriers to end users. The ball is in the device makers’ and cellular carriers’ court now, but users will be exposed and very vulnerable in the meantime.

ZDNet went a little further into the Stagefright problem:

With the exception of the Nexus devices, Google provides the Android source code patches, but it’s up to the smartphone carriers and original equipment manufacturers (OEMs) to send it to users with updated firmware. As of July 27th, none of the major Android OEMs or carriers have announced plans to deliver the patch. With many older devices, patches may never be delivered.

One of the things I like about Android is the range of choices I have. I get to find the right type of device for my needs. But at some point, Google is going to have to address the need for more uniform security, because as we’ve seen in the past, vulnerabilities and exploits usually get worse, not better.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba