Stagefright Bug Won’t Quit, 950 Million Android Devices Still Vulnerable
Stagefright, an infamous critical vulnerability affecting nearly all Android phones and tablets is sticking around despite Google’s effort of releasing multiple patches, according to independent researchers at a cybersecurity firm.
It’s like an annoying itch that just won’t go away. Researchers at Exodus Intelligence have identified Google’s attempt of issuing a patch to fix the notorious Stagefright vulnerability to be incomplete and flawed, leaving a staggering 950 million Android devices including phones and tablets, still vulnerable.
Quite simply, the Stagefright vulnerability allows an attacker to completely compromise a targeted device through a seemingly harmless multimedia message which injects malicious code into the device. The bug affects all devices on Android 2.2 (Froyo) to Android 5.1 (Lollipop), which adds up to nearly a billion devices running Android.
The Stagefright Bug is Proving Hard to Squash
The flaw was first discovered by Joshua Drake, a security researcher at mobile security firm Zimperium. Subsequently, the firm submitted a batch of patches along with the corresponding bug report to Google and the tech giant pushed its first 4-line patch to squash Stagefright last week.
Google pushed out six patches in a security bundle as a part of the Stagefright security update. One of the six patches needed work, however.
Eight days later, the team of researchers at Exodus spotted the mistake in a source code tweak and were able to trigger a total system crash in a patched Android phone by exploiting it through an encoded .mp4 media file sent using multi-media messaging (MMS).
The summary is that the Stagefright vulnerability is still exploitable and the 4-line patch that was implemented is faulty. We have been able to trigger the fault that still affects over 950 million Android devices – said Exodus Intelligence researchers in a report on Engadget.
Exodus notified Google of the flawed patch on 7 August and decided to make the information public when there was no response from Android’s makers.
The security firm defended its unorthodox disclosure of its blog-post which revealed the botched patch publicly as researchers routinely indulge companies with a standard 30-day notice period after reporting a security issue. Researchers noted that they chose to ignore the 30-day notice because the issue was originally reported over 120 days ago.
“There has been an inordinate amount of attention drawn to the bug – we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions,” warned Aaron Portnoy, a vice president at Exodus in a blog post.
Google promised monthly security updates for Nexus devices at the Black Hat security conference in Las Vegas earlier this month in direct response to the embarrassment caused by the Stagefright bug. Despite such assurances, the distribution channels meant to deliver these patches to end-users throws up certain logistical difficulties. After Google sends out patches to mobile operators and manufacturers, these companies are then responsible for pushing the patches to their customers. This can be a cumbersome process wherein certain users do not get an update at all if their phones are deemed to be ‘outdated.’
In the meantime, Android users – this writer included, are likely to keep an eye out for the new patch in order to fix the old patch, with a billion consumer-end devices still vulnerable at the time of writing this report.
Images from Twin Design / Shutterstock, StockSnap, and Pixabay.