The 'Stagefright' exploit: What you need to know

In July 2015, security company Zimperium announced that it had discovered a "unicorn" of a vulnerability inside the Android operating system. More details were publicly disclosed at the BlackHat conference in early August — but not before headlines declaring that nearly a billion Android devices could potentially be taken over without their users even knowing it.

So what is "Stagefright"? And do you need to worry about it?

We're continuously updating this post as more information is released. Here's what we know, and what you need to know.

What is Stagefright?

"Stagefright" is the nickname given to a potential exploit that lives fairly deep inside the Android operating system itself. The gist is that a video sent via MMS (text message) could be theoretically used as an avenue of attack through the libStageFright mechanism (thus the "Stagefright" name), which helps Android process video files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it.

Because libStageFright dates back to Android 2.2, hundreds of millions of phones contain this flawed library.

Aug. 17-18: Exploits remain?

Just as Google began rolling out updates for its Nexus line, the Exodus firm published a blog post snarkily saying that at least one exploit remained unpatched, implying that Google screwed up with the code. UK publication The Register, in a flouncily written piece, quotes an engineer from Rapid7 as saying the next fix will come in September's security update — part of the new monthly security patching process.

Google, for its part, has yet to publicly address this latest claim.

In the absence of any further details for this one, we're inclined to believe that at worse we're back where we started — that there are flaws in libStageFight, but that there are other layers of security that should mitigate the possibility of devices actually being exploited.

One Aug. 18. Trend Micro published a blog post (opens in new tab) on another flaw in libStageFright. It said it had no evidence of this exploit actually being used, and that Google published the patch to the Android Open Source Project on Aug. 1.

New Stagefright details as of Aug. 5

In conjunction with the BlackHat conference in Las Vegas — at which more details of the Stagefright vulnerability were publicly disclosed — Google addressed the situation specifically, with lead engineer for Android security Adrian Ludwig telling NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."

This is very much at odds with the "900 million Android devices are vulnerable" line we have all read. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher — that's about 95 percent of all active devices with Google services — have protection against a buffer overflow attack built in.

ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).

How's that for a mouthful?

What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.

This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.

Who found this exploit?

The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, was announced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.

How widespread is this exploit?

Again, the number of devices with the flaw in the libStageFright library itself is pretty huge, because it's in the OS itself. But as noted by Google a number of times, there are other methods in place that should protect your device. Think of it as security in layers.

So should I worry about Stagefright or not?

The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person. And, again, Google says if you're using Android 4.0 or above, you're probably going to be OK.

That doesn't mean it's not a bad potential exploit. It is. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.

And for its part, Google in July reiterated to Android Central that there are multiple mechanisms in place to protect users.

We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.

What about updates to fix Stagefright?

We're going to need system updates to truly patch this. In its new "Android Security Group" in an Aug. 12 bulletin, Google issued a "Nexus security bulletin" detailing things from its end. There are details on multiple CVEs (Common Vulnerabilities and Exposures), including when partners were notified (as early as April 10, for one), which build of Android featured fixes (Android 5.1.1, build LMY48I) and any other mitigating factors (the aforementioned ASLR memory scheme).

Google also said it's updated its Hangouts and Messenger apps so that they don't automatically process video messages in the background "so that media is not automatically passed to mediaserver process."

The bad news is that most folks are doing to have to wait on the manufacturers and carriers to push out system updates. But, again — while we're talking something like 900 million vulnerable phones out there, we're also talking zero known cases of exploitation. Those are pretty good odds.

HTC has said updates from here on out will contain the fix. And CyanogenMod is incorporating them now as well.

Motorola says all of its current-generation phones — from the Moto E to the newest Moto X (and everything in between) will be patched (opens in new tab), which code going to carriers starting Aug 10.

On Aug. 5, Google released new system images for the Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9 and Nexus 10. Google also announced that it will release monthly security updates for the Nexus line for the Nexus line. (The second publicly released M Preview build appears to already be patched as well.)

And while he didn't name the Stagefright exploit by name, Google's Adrian Ludwig earlier on Google+ had already addressed exploits and security in general, again reminding us of the multiple layers that go into protecting users. He writes:

There's common, mistaken assumption that any software bug can be turned into a security exploit. In fact, most bugs aren't exploitable and there are many things Android has done to improve those odds. We've spent the last 4 years investing heavily in technologies focused on one type of bug -- memory corruption bugs -- and trying to make those bugs more difficult to exploit.

For more on how that works, read our Q&A on security with Google's Ludwig.

Stagefight detector apps

We don't really see the point in using a "detector" app to see if your phone is vulnerable to the Stagefright exploit. But if you must, there are some available.

161 Comments
  • Whatever Posted via the Android Central App
  • Lol! Exactly Nexus 5 (AT&T)
  • Well you should be in the know. Because there are known knowns and unknown knowns that everyone knows about that they don't know about because it's not known to those who know they don't know, only to those who think they know. Ya know?
  • The panic attack exploit lol Posted via the Android Central App
  • If this was not such a serious vulnerability,then please explain why ALL the major oem's are now rushing to patch this! And,oh,by the way,it has already been detected in the wild for some time now,but you would not be aware if you were hacked or not! This from the wiki page,and I have read elsewhere too. " In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming that the library has been already exploited for a while." And there are two NEW exploitations found by Trend Micro: http://blog.trendmicro.com/the-show-goes-on-more-stagefright-horrors-wit... And 360 mobile security posted that there are other settings to worry about : https://www.linkedin.com/pulse/insight-stagefright-flaws-wei-wei?trk=pro... And last,but certainly not least, your file managers are likely vulnerable if they have a built-in media player.(see link above) So for all you uncaring, who wish to remain ignorant of the realities,your days are numbered. Not if you are ever hacked,but when. Too bad I won't be there to enjoy it! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Because no one ever is affected by this shit Posted via the Android Central App
  • +1 Posted via the Android Central App
  • Oh sure,right! That's why Google's Ludwig says that ONLY 15% of total Android devices were infected with some kind of malware,adware,and or spyware. Do you know what 15% of one BILLION devices is? No? Ok, I'll tell you, it is
    ONE HUNDRED AND FIFTY MILLION Devices! Just because you,or anyone you know has not experienced these things, does not discount the facts that others have. Most people don't even know the symptoms of a infected device. Or how to go about identifying the cause of their malfunctioning device's. Their phone could be a part of a botnet and they would never know it,and just scratch their heads wondering why their battery life took a dump one day,or week,and then returned to normal functions. Or, gee, "my data took a big hit last month" Or, "why is my phone overheating" and on and on it goes. These are examples of things that could be harmful,or...harmless. but how would you know? So, go on and be careless if you want,but there are others who do more than play games on their device. And could suffer real losses. And speaking of games,there was RANSOMWARE being served up to tens of thousands of gamers not long ago. But who cares,right? Not you! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Find me a first hand account of this or a forum and not some statistic Posted via my Nexus 6
  • Post your number and I'll make you a first hand. Security needs to be taken seriously. Based on statistics someone gets hacked 18 times a seconds. Did you know that some time ago there was a rash of malicious live wallpaper that mined bitcoins for the dev? They have been taken down by now, but still. In the end you are the smug 10 foot tall and bullet proof guy that gets shot and killed.
  • The number he gave was 0.15% not 15%. Sorry I'm a fortnight late, but an error of that magnitude needs pointing out. Wubba lubba dub dub!
  • What?  He was only off by a factor of 100 ;)
  • And this is called fear mongering. A well known exploit. Posted via the Android Central App
  • I got hit over the weekend.This has been the most exhausting,frustrating event in my life.I still dont know exactly what Stagefright does and what all they can do .My phone was older and after receiving the text back from an ad,BAM!My phone was open overnight before I realized that Id been infected.This really sucks.Have new phone but cant access provider account..its like Im still hijacked.Any suggestions?
  • Hi,you should call your provider right away,and you need to change passwords for that account and your Google account soon as possible. Then there are lots of other passwords you will likely need to change. After that,if you still have the old phone,you might want to have it looked at by a computer security person. There is a multitude of Android malware that could have affected your device. But stagefright may have been the delivery method. Google that name to read up on it later. Good luck.
  • Thank you for responding,I am not of of you guys ,I was actually led here through google.When I got hit,my provider and I were even locked out of my account since Saturday...this is some scary stuff.
  • I assume you have regained provider control? What about your Google account? And what is the manufacture of your new phone? Nexus receives the fastest security updates,followed by Samsung,LG,and maybe HTC and Motorola. But Google just put out a patch for several vulnerabilities,and it will take some time before they make it to other phone models. Even marshmallow is not fully patched. Here is a news link to Google's latest patching. There are several new Android malware that could have affected your phone,and a couple can even gain root access without your interaction. There are many articles at security week,and if you do a search on " theregister.com " (Android) you can find all kinds of helpful info. There are too many things,symptoms to cover here that could help narrow down what malware you encountered,but all important passwords need changed,and if you used any credit-cards on you phone to shop,you should probably notify your bank about the breach you experienced. Just a precaution. If you have any further questions,I will try and help. Stay safe.
  • *** This was supposed to be a reply to Justine13 Sorry, I don't have any suggestions. I'm replying to your comment that you don't know exactly what it does. I was messaged by my provider months back about StageFright and they said I would be notified when the patch is available. I also heard an update to my device would carry a fix. So far, nothing has happened. I was watching last night's (Friday) Crime Watch Daily and they did a segment on this. The scariest part to me is even with the phone off, they can hear you through the microphone and see whatever the camera (front or back) is pointing to. It can gain access to everything on your phone. They showed 2 hackers that they hired to hack into a ladies phone. From the hackers end, they showed the viewers that they were looking at and hearing this ladies conversation with a friend at a cafe, as well as pinpointing her location. SCARY!
  • Hello Everyone out there,I am here to give my testimony about a Herbalist called Dr Max Yayan, I was infected with HERPES SIMPLEX VIRUS 2 in 2013, i went to many hospitals for cure but there was no solution, so I was thinking on how i can get a solution out so that my body can be okay. One day I was in the pool side Browsing and thinking where I can go get a solution. I saw a blog on how Dr Max Yayan cured people, i did not believe but i just decided to give him a try, I contacted him and he prepare the herbs for me which i took, and he instructed me to go for check up, after the test i was confirmed herpes negative, i am so happy. If you have any problem or you are also infected with any disease, kindly contact him now with his Email: drmaxyayanspellcaster@gmail.com or call +2347054323588 This testimonial serves as an expression of my gratitude. He also have a herbal cure for COLD SORE, SHINGLES,
    CANCER,
    ASTHMA,
    IMPOTENCE,
    BARENESS/INFERTILITY ... Contact him on this email: drmaxyayanspellcaster@gmail.com , or call his cell phone number on +2347054323588.
  • Soooooooooooo................... Posted via the Android Central App
  • am melissa moore. I cannot believe this. I cannot believe that a man like Dr. ezomo is still in this earth. My beloved brothers and sister fathers and mothers you all need to hear this. I was infected with gentian herpes for more than 5years now. And right now one faithful day my spirit drag me to open the internet and I search and see this man and seeing this man I no is the Gods doing so I decide to talk with him about my problems and he told me he can help me at. At first I was doubting him because for 5years I have been in this situation and now you came from no where and said you will help me. Then I said let me give him a try he ask me to get some items for the process which I did and later he send me something which I take and use it. And told me to go and sleep and once I am wake the next morning I should go for checkup. Which really I did and it was negative. Please if you no you are in any kind of problem try and reach him true email: drezomospellhome@hotmail.com and receive your own 0r contact me at mellisamoore25@gmail.com for more information?
  • "This is *an exploit" is the graver mistake in the article. :P But in all seriousness, it is an exploit and should be taken seriously especially given the nature of the auto-load video 'functionality'.
  • Google's response could be a bit more precise and specific. For example, (not an actual quote) "Android has this, this, and this which will prevent this exploit from affecting users in a meaningful way".
  • That's what I thought. It's so vague as to be lacking credibility. You just hope it's vague because they don't want to tell hackers how they're going to be blocked.
  • Yeah? So that exploiters know what to deal with next?
  • Acknowledging it would not help an exploiter.
  • They like to pretend if they don't say anything it will go away on its own.
  • I suspect it has more to do with not wanting to get super technical about application sandboxing and ASLR in a press release that intended to be intelligible to the "average" user.
  • If you are using hangouts for SMS, is the fix as simple as going into settings and turning off "Auto-retrieve MMS messages"? Then if you get a message from an unknown number you just ignore it?
  • Good question. Posted via the Android Central App
  • That is too simple of a solution and can not be expected to be used. Google will push out a solution to nexus devices. Samsung will advise you buy the now patched Galaxy s 6. Everyone else will hope you don't notice there hasn't been an update to your phone for a while until they can get their next flagship out, then they'll travel Samsung's road.
  • "Samsung will advise you buy the now patched Galaxy S6"....lololol!!
  • That was my initial thought as I was reading.
  • I have a choice of Hang Outs and the default messaging app. The default messaging app has the option to uncheck 'auto-retrieve' but it doesn't mention if it's MMS or what. I'm pretty close to stock using an un-tinkered with Moto G.
  • I think it's MMS, because if you notice, it's below the MMS section.
  • Yes.  It *could* still be possible for someone you know to send you an MMS message that contained the exploit, but seems less likely.  As the article state, it's very unlikely to be a problem, if you're running Android 4.0 or newer, but turning off Auto-Retrieval of MMS messages means that you have an extra layer of control in deciding if you want to download MMS messages.
  • If we have to wait for, say, Verizon to get around to pushing this out, it'll be 8-16 months if their track record is any indication.
  • How original, a dig a Verizon and their slow paced updates. You've probably been waiting 8-16 months to use that!
  • We see what you did there Posted via the Android Central App
  • Troller no trolling.
  • Swiper, no swiping!
  • I'm soak testing a reply to your post. It should be ready sometime in Q2 2015!
  • Actually the one great thing about Verizon is they are very keen and very fast for fixing security exploits of every kind and push them out very fast. Verizon's knows it's regular customers are going to be going to them first for any and every problem with their phones. As much as I dislike Verizon, and I'm a customer, they are on top of security patches. Remember when my D1, stopped getting OS updates, but verizon still pushed out security patches to it in a timely manner after it stopped supporting the phone.
  • I don't use Hangouts for messaging. I assume that Messenger does not auto play video. Still, updates should be pushed out if they have not been already on ALL phones, on all carriers (I'm looking at you, VZW).
  • Hangouts is updated through the Play store, the messenger app depends on your manufacturer. Have most moved the messenger app to the play store yet? I need to find out how mine is updated.
  • Probably referring to the Google Messenger app, which is in the Play Store. (Not manufacturer-supplied ones, as those mostly aren't in the Play Store) Posted via the Android Central App
  • Yes, I am talking about Google's own Messenger app downloaded from the Play Store.
  • Turned off Auto MMS receive in Messenger settings, just in case.
  • I'm running the latest version of Android hopefully it not an issue on a brand new nexus right... And let's not forget about , effective. 
    Power
    لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ
    冗 Posted via the Android Central App
  • How (or actually why) could a media file have an executable that the OS will run, especially with system privileges ?
    I mean, Why would the OS need to execute there something? Isn't this sort of thing just a readable type of file?
  • It will likely be some kind of vulnerability in StageFright that corrupts that stack and allows a stack return pointer to point in to the media file in memory, or something, although in that case, I'd expect the XN (Execute Never) facilities in ARMv6 onwards to stop that being executed (those facilities are designed to only allow execution from memory that has been specifically flagged as containing executable code). I'm probably being naive to trust technologies like that, though!
  • But it's a media file, something that other software is supposed to just read from it, not to execute anything... Just extracting a bitmap or something to show to the user...
    How could it corrupt anything? If the data is unreadable, it should just be marked as "invalid/corrupt" or something.
    A very weird bug.
  • It's probably a very typical bug known as a buffer overflow. A bug in the code that reads the video allows carefully crafted invalid input to write data past the end of a section of memory called a buffer, overwriting memory that's located physically just after the buffer, that contains executable code. Then the attacker's code is executed instead of the original code that was present at that location.
  • Could be. But isn't this kind of putting the code memory outside of its place a bit random?
    I mean, what chance is there that the exact piece of code will be executed , instead of only a part of it that's probably harmless (or can crash) ?
  • That should be one of the "protection mechanisms" newer versions of Android have. Position independent executables and ASLR make this kind of exploitation harder, but not impossible (i.e. Nop-sledding into mmapped bionic libc functions (which is still impeded by ASLR)). I'm also not sure whether or not Stagefright was compiled as a PIE or not... Of course, if the exploit works on some other mechanism that ASLR can't protect against, all safety bets are out the window; Stagefright isn't truly sandboxed in the same way a Dalvik/ART executable can be.
  • I don't know about most of the terms you've written, but the last sentence summarizes it all.
    I hope that at least for the relatively new versions of Android, this isn't a major security issue.
  • Huh?
  • Yet another reason why Apple will claim why they are better. Posted via the Android Central App
  • We are just 2 months out from Apple dealing with their own SMS exploit that was taking down the majority of their devices
  • http://www.express.co.uk/life-style/science-technology/580211/iPhone-Mes...
  • I think the bug in the iOS/OSX keychain is a bit more serious:
    http://www.cultofmac.com/326567/mac-ios-malware-vulnerability/
  • Not to mention the bug that allowed websites to install "fake" versions of apps that could steal users' data, just by having the user click a link in an email or on a web page.  No system is immune to security vulnerabilities.  And the more complex (an convenient) the system gets, the harder it is to keep it secure.
  • So you got good hackers and bad hackers. Good hackers find a weakness, the news reports it. Bad hackers read article that says bad hackers haven't used exploit yet. Now bad hacker knows about exploitable exploit about to be exploited, by him... if it were actually something serious. Why does the media do this? It's so moronic. The important scary stuff never actually gets to the media, too much investment at stake. It's the pitiful crap like this that no real hacker cares about (because it's been exploitable for FIVE FREAKING YEARS and no has cared about it, nor do they now) that gets the laymen all up in arms and huffy puffy over. So thanks media for getting us all riled up over nothing. And if it is something, thanks for advertising an unresolved issue to the whole world via a click of the mouse, so it's more of a something than it ever should have been.
  • Isn't that what media does, anyway?: They use shock value to frighten everyone into immobility. The fear card then raises, the US wastes $trillions, thus becoming a 3rd-world nation. Little kids can't then ride their bikes alone near their neighborhoods, nor may they play with horned toads and bugs in fields and vacant lots. They can't then obtain decent immunity--thus they must increasingly depend even more heavily upon our idiot, clueless, and corrupt medical system. Thus, the kids stay in their homes--"safely" with their phones and tablets--not knowing anything at all about nature while also becoming fat, diabetic, and a coronary concern. Their food is no good, since it's become so cheapened, nutrient-deficient, and chemical-laden--familiar diseases like ADD and autoimmune disease arise. When the temperature outside finally hits 150deg. F, or their houses burn up or wash away--they may then proved puzzled and concerned, in the end. What may they do then?: In vain, they'll Google for an easy, one-step solution--one which requires the least effort....
  • Does anyone know what sort of access permissions the malicious code would have? I've read everthing from just the media files to "full control of your device."
  • The researcher who found the exploit "discovered a multitude of implementation issues with impacts ranging from unassisted remote code execution down to simple denial of service". I suspect that since stagefright is part of the core OS, it might run with an high level of privilege.
  • I smell another FUD article from Rene Bitchey coming later today from iMore... Posted via the Android Central App
  • So if you received one of these texts, would a scan from something like Lookout, show anything?
  • No! The exploitation can erase the mms before you ever see it,ands if you are lucky,you may see a notice to a non exiting message. The real problem here ,and is being downplayed by AC and Ludwig as usual, will be the attacks or spyware you never see or detect,or it will be combined with other malware to say,lock you out with ransomware. Its just a matter of time until this is used,and then,even then,Google will simply say,"see,we already fixed it" not my problem. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Well, why shouldn't Google say that? This is the carriers' fault if they can't get a critical patch out in 90 days....
  • Yes but it's Google's problem. Google wants people to use Android, so anything hindering that (i.e. manufacturers and carriers) is a huge problem to Google. Fragmentation should be top on Google's list of things to remediate (though I have no idea how it would do it).
  • Exactly. via AC App
    on VZW Moto X 2014/2013 DE/N7
  • Couldnt this be fixed with a play services update? Perhaps it has already been pushed.
  • This is what I was thinking. This seems like the kind of thing that could be addressed via a Google Ply Services update.
  • I'm guessing no, if it's a problem with a mdeia component of the core OS. But I'd think they'd at least patch the vulnerabilty in Hangouts so it doesn't process video automatically. Actually, if they've known about this for months, I'm not sure why they haven't already.
  • It could affect the built-in messaging app as well, which would not be fixed until that OEM pushed out the update for their specific app.
    Our lead grey-hat hacker laughed because zero people have been affected, the exploit is difficult to use effectively because of the memory management since Android 4.0 (probably why no one has bothered using it), and it take 5 seconds to render this exploit useless. In your message app, go to settings then multimedia messages, and un-check auto retrieve. Done.
  • Here's what I wish. I wish a vulnerability so easy to exploit and so severe would happen that it would cause Google, the OEMs and the carriers to all sit down and rethink how security updates are handled. I think it will take something like this before they get serious about it.
  • They got me and I'm pissed. Posted via the Android Central App
  • If they really got you, then you would not know it in the first place,that is unless it was RANSOMWARE. Which then,you would not have been able to post via the AC app in the first place! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • If you turn off the following settings in your messaging app/apps on your device: Auto-retrieve MMS. Check to automatically retrieve multimedia messages that you receive. If auto-retrieve is unchecked in your Messenger MMS settings, you must touch Download to view the message. Roaming auto-retrieve. Check to automatically retrieve multimedia messages while roaming. Then when you receive the text with this exploit it will not download to your phone unless you hit the download button. So looks like this can be turned off without a patch but patches are needed cause not everyone is smart enough to turn these off.
  • You mean not everyone is smart enough to read tech blogs so that they know to turn these off. Seriously, you didn't have to insult people.
  • I didn't insult anyone, all I said was some are not smart enough to turn these features off and that's why the patches are needed.
  • Thanks for the fix. We can move along.
  • As Phil likes to downplay scary things for all those not fortunate to have all the latest and greatest Android devices, I'll say this, the unknowns ARE NOT being ignored,as this is part of a presentation at Blackhat USA 2015 And was responsibly disclosed to Google. They announced this to generate interest in their upcoming presrentation. If anyone is playing around here,it is Google who should be talking more about how to stay safe,as they were responsible for the bad code in the first place! These researchers provided the patches to Google even,and Google used them! To make fun of these security specialist is tantamount to blaming the messenger,and in bad taste for Phil to ridicule them. But why should he care,he is always going to have the newest devices. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Agreed. Phil's good at reviewing phones, not security issues. Another way to mitigate against the risk is to use TextSecure. It will automatically download the media but you can't play or view any media without clicking through a warning about playing media insecurely.
  • So, these people at Zimperium are all nice guys. What if someone else have found this hack in the past 5 years?
    Security matters. Maybe it's time to try a Windows phone.
  • Made me laugh. Thanks for that.
  • The corresponding module in a Windows Phone is likely a WinRT component written in C++. C++ collections are far more resilient against this sort of thing than C's manual memory buffering. Perhaps laughing is not the wisest thing to do.
  • Dan wasn't laughing about the tech aspect of the security. He was laughing at the concept that anyone actually WANTS a Windows phone. You tech nerds really need to lighten up. We love you, but your sense of humor is severely lacking.
  • What I'm a bit confused by is the fact that it apparently has different impacts on Hangouts and Messages, which suggests that the attack vector is necessarily through the application layer. (Rather than, for example, something in the firmware-level handling of MMS.) If that's the case, why can't an application-level update (whether to Hangouts or to Play Services, which Hangouts depends on), at least block offending messages? Heck, if the bug is actually a remote root exploit, one would think that a Hangouts fix that simply stripped *all* embedded video from MMS on any device that can't be confirmed to have been fixed would be a prudent (hopefully temporary) safety measure, even though it would remove functionality from the phone in the interim.
  • Hi, The Verge has a piece two hour old that does a good job of updating the goings on. One Telco in Europe has taken to blocking auto downloads of videos. See my post above for lots more,including links. It's in the replies to the first posted on this thread. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • So should be people stop using Hangouts? Could we get some answers please! Posted via the Android Central App
  • In Hangouts settings turn off auto retrieve MMS. Then you would have to manually elect to download a potentially infected video.
  • Blackberry's security adopted by Samsung couldn't be out soon enough. Never had security issues like this when I was with BlackBerry, ever. Common Google get with it. Posted via the Android Central App
  • Very true. My rotary phone I used to use never had security issues like this either.... Come on Google, get with the times... switch to rotary phone technology.
  • Looks like you have no idea what BlackBerry 10 is and missed that 2010's BlackBerries are not 2015's... Samsung asked BlackBerry for help with their KNOX security for enterprise. It's not only about dollars and size, but know-how as well. See Apple, Google and Samsung - still haven't caught up with the level of security provided by now tiny BlackBerry Ltd. Quite some snarky comments in this part of Mobile Nations.
    :-)
  • Yea, no snarky comments or attitude over on the crackberry blog comments at all, especially when it comes to other os's. They are very open minded and accepting of everything, there. I actually try not to read the comments there very often because of all the hate and arguing.
  • I am new to the Android platform I came from Blackberry this is irony, but I have Macfee Mobile Security on my G4, and I will look at the messaging system, but , I think Google should knock on Blackberries door, in the perfect world I would love to install Blackberry 10 on a Android phone, maybe one day that could happen, but that was my worry about Android was the lack of security on the Android system, this is something that Android must improve,
  • Google should knock on Blackberry's door? Um ok... Blackberry used to own the smartphone space... and now they own virtually nothing. I don't think Google needs to knock on Blackberry's door any time soon...
  • in terms of security Blackberry is well known for their security on their systems, if you could blend the two together you would have a impressive system,
  • Samsung did.
    For their KNOX system... :-D
  • Why would you have an AntiVirus to begin with on Android... Posted via the Android Central App
  • He's new to android, and over on blackberry forums, that's all they talk about. Security and android being nothing but malware, like it's all coming out of Google play store. When it comes from people installing apks from unknown sources, or allowing it to install from questionable websites they are on. Just unaware of the security settings...
  • I cared that in one sentence ..you wrote " to to google phones."
    Did the editor n chief write this? I just want my voicemail icon to go away. Thought id snoop around here while waiting for a fingerscrossed reaponse. Ok. . Anyhow... ya ya ill look out for this defect beta video player. Mmb
  • Hi,click on the voicemail icon to open the app,then hit the back arrow top left of screen. Done. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Maybe I will finally get ONE update for my phone ... I think I received ZERO updates in the past 12 months. Android, open source, blah blah. At the end of the day the user gets nothing.
  • This is what? The third or fourth time Phil has downplay a security exploit on Android? Perhaps his points are valid, but after so many times, you start to wonder if he actually has the readers best interest or just continually defending Android
  • Many security exploits are *massively* overplayed by the general blogosphere, because anytime they can put "Android" and "vulnerability" or "malware" into the same sentence, they know it will get massive clicks.
  • Perhaps it should be named 'Skynet' instead of 'Stagefright' It's aware.....
  • According to Android Police, Google will push out a patch for this next week for Nexus devices. http://www.androidpolice.com/2015/07/28/google-representative-promises-a...
  • I have a question that i hope someone can answer. Ok so my galaxy s6 edge got a txt from one of my family members that was a download. I downloaded it and boom! GONE the thing was gone. I asked the person what they had sent me and they said they didnt send me anything. At the same time i got TONS of the same txt messages with the download from other contacts?!? I tried 8 antivirus programs and they all found nothing! I am pretty sure that someone is using the stagefright exploit for malicious software that is undetectable. Is there a fix?????????? ANYTHING PLS.
  • Odds are, you did not get infected with anything.  Even if something did get installed, it would still show as an installed app, and should be detectable by something like Lookout.  If you're *really* worried, do a factory reset and then reboot to recovery and wipe data.  Unless your phone seems to be behaving strangely (battery dying faster than usual, warm when it shouldn't be, or chewing up more data that you can't account for) the odds that you have been infected are actually pretty low.
  • I just talked to Verizon Tier 2 support. They haven't heard of the Stagefright bug, so can be of no help. Also, there is no way I can determine to know when Google pushes out a patch for any of their Galaxy, Note, or other phones. To help mitigate the problem, I've (1) disabled 'Auto Retrieve Messages' on the stock message app with Samsung (Note 4,5.0.1) but neither Verizon or I can figure out how to (2) 'Block the reception of text messages from unknown senders'.
    Any suggestions ??
  • Hi, there are some security apps that I believe can block sms unknowns. Look at Avast mobile security,it's free,ad free,and feature rich. I've been using it for quite some time. Love it! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • SMS isn't an issue, only MMS.
  • Every platform has issues, but the tell-tale here is how the issues are dealt with and fixed (or not). The stagefright vulnerability is serious, widespread, and can be triggered remotely. All together should be of great concern. We need folks to understand how the carriers and manufacturers are actively working to *screw* Android users by ignoring serious security issues if a phone is older than a year or two. This is a big issue and Stagefright is an excellent proof case for how the Android security update process is BROKEN. As has been said, it seems the only way to fix security issues with Android is to buy a new phone every time a bad vulnerability hits. *THAT's* got to stop. Part of this is having our Android Experts to step up, point out, rant out, and generally make a ruckus until this messy and dysfunctional process is fixed, instead of just trying to distract folks and tell them, really, it'll all be OK. @Vikkideane... Verizon's not even *heard* of it? just more proof....
  • WiseCraig,
    Totally agree. 3 hours on the phone with Verizon TIER 2 technican and absolutely NO SOLUTION. Their solution, wait for a software update.
  • Honestly, the software update issue goes beyond Android. All platforms (excluding iOS) are at the mercy of Carriers and OEM's. Both (but most notably the carriers) have a habit of deciding not to update phones, no matter how important the update is. They would much prefer you just buy a new phone. I really wish carriers didn't play a role in the process, but unfortunately they do.
  • +1000 via AC App
    on VZW Moto X 2014/2013 DE/N7
  • My ATT Note 4 is downloading the patching update right now, stay tuned for results!
  • I've been tuned for 3 hours, can I untune yet :)
  • Probably! It did take over 90 Minutes to DL and then install, including converting all 300+ apps. So far it seems to work ok.
    You may now return to you the soap opera this special bulletin interrupted.
  • :)
  • What t