Skip to main content

The 'Stagefright' exploit: What you need to know

In July 2015, security company Zimperium announced that it had discovered a "unicorn" of a vulnerability inside the Android operating system. More details were publicly disclosed at the BlackHat conference in early August — but not before headlines declaring that nearly a billion Android devices could potentially be taken over without their users even knowing it.

So what is "Stagefright"? And do you need to worry about it?

We're continuously updating this post as more information is released. Here's what we know, and what you need to know.

What is Stagefright?

"Stagefright" is the nickname given to a potential exploit that lives fairly deep inside the Android operating system itself. The gist is that a video sent via MMS (text message) could be theoretically used as an avenue of attack through the libStageFright mechanism (thus the "Stagefright" name), which helps Android process video files. Many text messaging apps — Google's Hangouts app was specifically mentioned — automatically process that video so it's ready for viewing as soon as you open the message, and so the attack theoretically could happen without you even knowing it.

Because libStageFright dates back to Android 2.2, hundreds of millions of phones contain this flawed library.

Aug. 17-18: Exploits remain?

Just as Google began rolling out updates for its Nexus line, the Exodus firm published a blog post snarkily saying that at least one exploit remained unpatched, implying that Google screwed up with the code. UK publication The Register, in a flouncily written piece, quotes an engineer from Rapid7 as saying the next fix will come in September's security update — part of the new monthly security patching process.

Google, for its part, has yet to publicly address this latest claim.

In the absence of any further details for this one, we're inclined to believe that at worse we're back where we started — that there are flaws in libStageFight, but that there are other layers of security that should mitigate the possibility of devices actually being exploited.

One Aug. 18. Trend Micro published a blog post (opens in new tab) on another flaw in libStageFright. It said it had no evidence of this exploit actually being used, and that Google published the patch to the Android Open Source Project on Aug. 1.

New Stagefright details as of Aug. 5

In conjunction with the BlackHat conference in Las Vegas — at which more details of the Stagefright vulnerability were publicly disclosed — Google addressed the situation specifically, with lead engineer for Android security Adrian Ludwig telling NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."

This is very much at odds with the "900 million Android devices are vulnerable" line we have all read. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher — that's about 95 percent of all active devices with Google services — have protection against a buffer overflow attack built in.

ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).

How's that for a mouthful?

What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.

This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.

Who found this exploit?

The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, was announced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.

How widespread is this exploit?

Again, the number of devices with the flaw in the libStageFright library itself is pretty huge, because it's in the OS itself. But as noted by Google a number of times, there are other methods in place that should protect your device. Think of it as security in layers.

So should I worry about Stagefright or not?

The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person. And, again, Google says if you're using Android 4.0 or above, you're probably going to be OK.

That doesn't mean it's not a bad potential exploit. It is. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.

And for its part, Google in July reiterated to Android Central that there are multiple mechanisms in place to protect users.

We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.

What about updates to fix Stagefright?

We're going to need system updates to truly patch this. In its new "Android Security Group" in an Aug. 12 bulletin, Google issued a "Nexus security bulletin" detailing things from its end. There are details on multiple CVEs (Common Vulnerabilities and Exposures), including when partners were notified (as early as April 10, for one), which build of Android featured fixes (Android 5.1.1, build LMY48I) and any other mitigating factors (the aforementioned ASLR memory scheme).

Google also said it's updated its Hangouts and Messenger apps so that they don't automatically process video messages in the background "so that media is not automatically passed to mediaserver process."

The bad news is that most folks are doing to have to wait on the manufacturers and carriers to push out system updates. But, again — while we're talking something like 900 million vulnerable phones out there, we're also talking zero known cases of exploitation. Those are pretty good odds.

HTC has said updates from here on out will contain the fix. And CyanogenMod is incorporating them now as well.

Motorola says all of its current-generation phones — from the Moto E to the newest Moto X (and everything in between) will be patched (opens in new tab), which code going to carriers starting Aug 10.

On Aug. 5, Google released new system images for the Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9 and Nexus 10. Google also announced that it will release monthly security updates for the Nexus line for the Nexus line. (The second publicly released M Preview build appears to already be patched as well.)

And while he didn't name the Stagefright exploit by name, Google's Adrian Ludwig earlier on Google+ had already addressed exploits and security in general, again reminding us of the multiple layers that go into protecting users. He writes:

There's common, mistaken assumption that any software bug can be turned into a security exploit. In fact, most bugs aren't exploitable and there are many things Android has done to improve those odds. We've spent the last 4 years investing heavily in technologies focused on one type of bug -- memory corruption bugs -- and trying to make those bugs more difficult to exploit.

For more on how that works, read our Q&A on security with Google's Ludwig.

Stagefight detector apps

We don't really see the point in using a "detector" app to see if your phone is vulnerable to the Stagefright exploit. But if you must, there are some available.

161 Comments
  • Whatever Posted via the Android Central App
  • Lol! Exactly Nexus 5 (AT&T)
  • Well you should be in the know. Because there are known knowns and unknown knowns that everyone knows about that they don't know about because it's not known to those who know they don't know, only to those who think they know. Ya know?
  • The panic attack exploit lol Posted via the Android Central App
  • If this was not such a serious vulnerability,then please explain why ALL the major oem's are now rushing to patch this! And,oh,by the way,it has already been detected in the wild for some time now,but you would not be aware if you were hacked or not! This from the wiki page,and I have read elsewhere too. " In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming that the library has been already exploited for a while." And there are two NEW exploitations found by Trend Micro: http://blog.trendmicro.com/the-show-goes-on-more-stagefright-horrors-wit... And 360 mobile security posted that there are other settings to worry about : https://www.linkedin.com/pulse/insight-stagefright-flaws-wei-wei?trk=pro... And last,but certainly not least, your file managers are likely vulnerable if they have a built-in media player.(see link above) So for all you uncaring, who wish to remain ignorant of the realities,your days are numbered. Not if you are ever hacked,but when. Too bad I won't be there to enjoy it! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Because no one ever is affected by this shit Posted via the Android Central App
  • +1 Posted via the Android Central App
  • Oh sure,right! That's why Google's Ludwig says that ONLY 15% of total Android devices were infected with some kind of malware,adware,and or spyware. Do you know what 15% of one BILLION devices is? No? Ok, I'll tell you, it is
    ONE HUNDRED AND FIFTY MILLION Devices! Just because you,or anyone you know has not experienced these things, does not discount the facts that others have. Most people don't even know the symptoms of a infected device. Or how to go about identifying the cause of their malfunctioning device's. Their phone could be a part of a botnet and they would never know it,and just scratch their heads wondering why their battery life took a dump one day,or week,and then returned to normal functions. Or, gee, "my data took a big hit last month" Or, "why is my phone overheating" and on and on it goes. These are examples of things that could be harmful,or...harmless. but how would you know? So, go on and be careless if you want,but there are others who do more than play games on their device. And could suffer real losses. And speaking of games,there was RANSOMWARE being served up to tens of thousands of gamers not long ago. But who cares,right? Not you! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Find me a first hand account of this or a forum and not some statistic Posted via my Nexus 6
  • Post your number and I'll make you a first hand. Security needs to be taken seriously. Based on statistics someone gets hacked 18 times a seconds. Did you know that some time ago there was a rash of malicious live wallpaper that mined bitcoins for the dev? They have been taken down by now, but still. In the end you are the smug 10 foot tall and bullet proof guy that gets shot and killed.
  • The number he gave was 0.15% not 15%. Sorry I'm a fortnight late, but an error of that magnitude needs pointing out. Wubba lubba dub dub!
  • What?  He was only off by a factor of 100 ;)
  • And this is called fear mongering. A well known exploit. Posted via the Android Central App
  • I got hit over the weekend.This has been the most exhausting,frustrating event in my life.I still dont know exactly what Stagefright does and what all they can do .My phone was older and after receiving the text back from an ad,BAM!My phone was open overnight before I realized that Id been infected.This really sucks.Have new phone but cant access provider account..its like Im still hijacked.Any suggestions?
  • Hi,you should call your provider right away,and you need to change passwords for that account and your Google account soon as possible. Then there are lots of other passwords you will likely need to change. After that,if you still have the old phone,you might want to have it looked at by a computer security person. There is a multitude of Android malware that could have affected your device. But stagefright may have been the delivery method. Google that name to read up on it later. Good luck.
  • Thank you for responding,I am not of of you guys ,I was actually led here through google.When I got hit,my provider and I were even locked out of my account since Saturday...this is some scary stuff.
  • I assume you have regained provider control? What about your Google account? And what is the manufacture of your new phone? Nexus receives the fastest security updates,followed by Samsung,LG,and maybe HTC and Motorola. But Google just put out a patch for several vulnerabilities,and it will take some time before they make it to other phone models. Even marshmallow is not fully patched. Here is a news link to Google's latest patching. There are several new Android malware that could have affected your phone,and a couple can even gain root access without your interaction. There are many articles at security week,and if you do a search on " theregister.com " (Android) you can find all kinds of helpful info. There are too many things,symptoms to cover here that could help narrow down what malware you encountered,but all important passwords need changed,and if you used any credit-cards on you phone to shop,you should probably notify your bank about the breach you experienced. Just a precaution. If you have any further questions,I will try and help. Stay safe.
  • *** This was supposed to be a reply to Justine13 Sorry, I don't have any suggestions. I'm replying to your comment that you don't know exactly what it does. I was messaged by my provider months back about StageFright and they said I would be notified when the patch is available. I also heard an update to my device would carry a fix. So far, nothing has happened. I was watching last night's (Friday) Crime Watch Daily and they did a segment on this. The scariest part to me is even with the phone off, they can hear you through the microphone and see whatever the camera (front or back) is pointing to. It can gain access to everything on your phone. They showed 2 hackers that they hired to hack into a ladies phone. From the hackers end, they showed the viewers that they were looking at and hearing this ladies conversation with a friend at a cafe, as well as pinpointing her location. SCARY!
  • Hello Everyone out there,I am here to give my testimony about a Herbalist called Dr Max Yayan, I was infected with HERPES SIMPLEX VIRUS 2 in 2013, i went to many hospitals for cure but there was no solution, so I was thinking on how i can get a solution out so that my body can be okay. One day I was in the pool side Browsing and thinking where I can go get a solution. I saw a blog on how Dr Max Yayan cured people, i did not believe but i just decided to give him a try, I contacted him and he prepare the herbs for me which i took, and he instructed me to go for check up, after the test i was confirmed herpes negative, i am so happy. If you have any problem or you are also infected with any disease, kindly contact him now with his Email: drmaxyayanspellcaster@gmail.com or call +2347054323588 This testimonial serves as an expression of my gratitude. He also have a herbal cure for COLD SORE, SHINGLES,
    CANCER,
    ASTHMA,
    IMPOTENCE,
    BARENESS/INFERTILITY ... Contact him on this email: drmaxyayanspellcaster@gmail.com , or call his cell phone number on +2347054323588.
  • Soooooooooooo................... Posted via the Android Central App
  • am melissa moore. I cannot believe this. I cannot believe that a man like Dr. ezomo is still in this earth. My beloved brothers and sister fathers and mothers you all need to hear this. I was infected with gentian herpes for more than 5years now. And right now one faithful day my spirit drag me to open the internet and I search and see this man and seeing this man I no is the Gods doing so I decide to talk with him about my problems and he told me he can help me at. At first I was doubting him because for 5years I have been in this situation and now you came from no where and said you will help me. Then I said let me give him a try he ask me to get some items for the process which I did and later he send me something which I take and use it. And told me to go and sleep and once I am wake the next morning I should go for checkup. Which really I did and it was negative. Please if you no you are in any kind of problem try and reach him true email: drezomospellhome@hotmail.com and receive your own 0r contact me at mellisamoore25@gmail.com for more information?
  • "This is *an exploit" is the graver mistake in the article. :P But in all seriousness, it is an exploit and should be taken seriously especially given the nature of the auto-load video 'functionality'.
  • Google's response could be a bit more precise and specific. For example, (not an actual quote) "Android has this, this, and this which will prevent this exploit from affecting users in a meaningful way".
  • That's what I thought. It's so vague as to be lacking credibility. You just hope it's vague because they don't want to tell hackers how they're going to be blocked.
  • Yeah? So that exploiters know what to deal with next?
  • Acknowledging it would not help an exploiter.
  • They like to pretend if they don't say anything it will go away on its own.
  • I suspect it has more to do with not wanting to get super technical about application sandboxing and ASLR in a press release that intended to be intelligible to the "average" user.
  • If you are using hangouts for SMS, is the fix as simple as going into settings and turning off "Auto-retrieve MMS messages"? Then if you get a message from an unknown number you just ignore it?
  • Good question. Posted via the Android Central App
  • That is too simple of a solution and can not be expected to be used. Google will push out a solution to nexus devices. Samsung will advise you buy the now patched Galaxy s 6. Everyone else will hope you don't notice there hasn't been an update to your phone for a while until they can get their next flagship out, then they'll travel Samsung's road.
  • "Samsung will advise you buy the now patched Galaxy S6"....lololol!!
  • That was my initial thought as I was reading.
  • I have a choice of Hang Outs and the default messaging app. The default messaging app has the option to uncheck 'auto-retrieve' but it doesn't mention if it's MMS or what. I'm pretty close to stock using an un-tinkered with Moto G.
  • I think it's MMS, because if you notice, it's below the MMS section.
  • Yes.  It *could* still be possible for someone you know to send you an MMS message that contained the exploit, but seems less likely.  As the article state, it's very unlikely to be a problem, if you're running Android 4.0 or newer, but turning off Auto-Retrieval of MMS messages means that you have an extra layer of control in deciding if you want to download MMS messages.
  • If we have to wait for, say, Verizon to get around to pushing this out, it'll be 8-16 months if their track record is any indication.
  • How original, a dig a Verizon and their slow paced updates. You've probably been waiting 8-16 months to use that!
  • We see what you did there Posted via the Android Central App
  • Troller no trolling.
  • Swiper, no swiping!
  • I'm soak testing a reply to your post. It should be ready sometime in Q2 2015!
  • Actually the one great thing about Verizon is they are very keen and very fast for fixing security exploits of every kind and push them out very fast. Verizon's knows it's regular customers are going to be going to them first for any and every problem with their phones. As much as I dislike Verizon, and I'm a customer, they are on top of security patches. Remember when my D1, stopped getting OS updates, but verizon still pushed out security patches to it in a timely manner after it stopped supporting the phone.
  • I don't use Hangouts for messaging. I assume that Messenger does not auto play video. Still, updates should be pushed out if they have not been already on ALL phones, on all carriers (I'm looking at you, VZW).
  • Hangouts is updated through the Play store, the messenger app depends on your manufacturer. Have most moved the messenger app to the play store yet? I need to find out how mine is updated.
  • Probably referring to the Google Messenger app, which is in the Play Store. (Not manufacturer-supplied ones, as those mostly aren't in the Play Store) Posted via the Android Central App
  • Yes, I am talking about Google's own Messenger app downloaded from the Play Store.
  • Turned off Auto MMS receive in Messenger settings, just in case.
  • I'm running the latest version of Android hopefully it not an issue on a brand new nexus right... And let's not forget about , effective. 
    Power
    لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ
    冗 Posted via the Android Central App
  • How (or actually why) could a media file have an executable that the OS will run, especially with system privileges ?
    I mean, Why would the OS need to execute there something? Isn't this sort of thing just a readable type of file?
  • It will likely be some kind of vulnerability in StageFright that corrupts that stack and allows a stack return pointer to point in to the media file in memory, or something, although in that case, I'd expect the XN (Execute Never) facilities in ARMv6 onwards to stop that being executed (those facilities are designed to only allow execution from memory that has been specifically flagged as containing executable code). I'm probably being naive to trust technologies like that, though!
  • But it's a media file, something that other software is supposed to just read from it, not to execute anything... Just extracting a bitmap or something to show to the user...
    How could it corrupt anything? If the data is unreadable, it should just be marked as "invalid/corrupt" or something.
    A very weird bug.
  • It's probably a very typical bug known as a buffer overflow. A bug in the code that reads the video allows carefully crafted invalid input to write data past the end of a section of memory called a buffer, overwriting memory that's located physically just after the buffer, that contains executable code. Then the attacker's code is executed instead of the original code that was present at that location.
  • Could be. But isn't this kind of putting the code memory outside of its place a bit random?
    I mean, what chance is there that the exact piece of code will be executed , instead of only a part of it that's probably harmless (or can crash) ?
  • That should be one of the "protection mechanisms" newer versions of Android have. Position independent executables and ASLR make this kind of exploitation harder, but not impossible (i.e. Nop-sledding into mmapped bionic libc functions (which is still impeded by ASLR)). I'm also not sure whether or not Stagefright was compiled as a PIE or not... Of course, if the exploit works on some other mechanism that ASLR can't protect against, all safety bets are out the window; Stagefright isn't truly sandboxed in the same way a Dalvik/ART executable can be.
  • I don't know about most of the terms you've written, but the last sentence summarizes it all.
    I hope that at least for the relatively new versions of Android, this isn't a major security issue.
  • Huh?
  • Yet another reason why Apple will claim why they are better. Posted via the Android Central App
  • We are just 2 months out from Apple dealing with their own SMS exploit that was taking down the majority of their devices
  • http://www.express.co.uk/life-style/science-technology/580211/iPhone-Mes...
  • I think the bug in the iOS/OSX keychain is a bit more serious:
    http://www.cultofmac.com/326567/mac-ios-malware-vulnerability/
  • Not to mention the bug that allowed websites to install "fake" versions of apps that could steal users' data, just by having the user click a link in an email or on a web page.  No system is immune to security vulnerabilities.  And the more complex (an convenient) the system gets, the harder it is to keep it secure.
  • So you got good hackers and bad hackers. Good hackers find a weakness, the news reports it. Bad hackers read article that says bad hackers haven't used exploit yet. Now bad hacker knows about exploitable exploit about to be exploited, by him... if it were actually something serious. Why does the media do this? It's so moronic. The important scary stuff never actually gets to the media, too much investment at stake. It's the pitiful crap like this that no real hacker cares about (because it's been exploitable for FIVE FREAKING YEARS and no has cared about it, nor do they now) that gets the laymen all up in arms and huffy puffy over. So thanks media for getting us all riled up over nothing. And if it is something, thanks for advertising an unresolved issue to the whole world via a click of the mouse, so it's more of a something than it ever should have been.
  • Isn't that what media does, anyway?: They use shock value to frighten everyone into immobility. The fear card then raises, the US wastes $trillions, thus becoming a 3rd-world nation. Little kids can't then ride their bikes alone near their neighborhoods, nor may they play with horned toads and bugs in fields and vacant lots. They can't then obtain decent immunity--thus they must increasingly depend even more heavily upon our idiot, clueless, and corrupt medical system. Thus, the kids stay in their homes--"safely" with their phones and tablets--not knowing anything at all about nature while also becoming fat, diabetic, and a coronary concern. Their food is no good, since it's become so cheapened, nutrient-deficient, and chemical-laden--familiar diseases like ADD and autoimmune disease arise. When the temperature outside finally hits 150deg. F, or their houses burn up or wash away--they may then proved puzzled and concerned, in the end. What may they do then?: In vain, they'll Google for an easy, one-step solution--one which requires the least effort....
  • Does anyone know what sort of access permissions the malicious code would have? I've read everthing from just the media files to "full control of your device."
  • The researcher who found the exploit "discovered a multitude of implementation issues with impacts ranging from unassisted remote code execution down to simple denial of service". I suspect that since stagefright is part of the core OS, it might run with an high level of privilege.
  • I smell another FUD article from Rene Bitchey coming later today from iMore... Posted via the Android Central App
  • So if you received one of these texts, would a scan from something like Lookout, show anything?
  • No! The exploitation can erase the mms before you ever see it,ands if you are lucky,you may see a notice to a non exiting message. The real problem here ,and is being downplayed by AC and Ludwig as usual, will be the attacks or spyware you never see or detect,or it will be combined with other malware to say,lock you out with ransomware. Its just a matter of time until this is used,and then,even then,Google will simply say,"see,we already fixed it" not my problem. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Well, why shouldn't Google say that? This is the carriers' fault if they can't get a critical patch out in 90 days....
  • Yes but it's Google's problem. Google wants people to use Android, so anything hindering that (i.e. manufacturers and carriers) is a huge problem to Google. Fragmentation should be top on Google's list of things to remediate (though I have no idea how it would do it).
  • Exactly. via AC App
    on VZW Moto X 2014/2013 DE/N7
  • Couldnt this be fixed with a play services update? Perhaps it has already been pushed.
  • This is what I was thinking. This seems like the kind of thing that could be addressed via a Google Ply Services update.
  • I'm guessing no, if it's a problem with a mdeia component of the core OS. But I'd think they'd at least patch the vulnerabilty in Hangouts so it doesn't process video automatically. Actually, if they've known about this for months, I'm not sure why they haven't already.
  • It could affect the built-in messaging app as well, which would not be fixed until that OEM pushed out the update for their specific app.
    Our lead grey-hat hacker laughed because zero people have been affected, the exploit is difficult to use effectively because of the memory management since Android 4.0 (probably why no one has bothered using it), and it take 5 seconds to render this exploit useless. In your message app, go to settings then multimedia messages, and un-check auto retrieve. Done.
  • Here's what I wish. I wish a vulnerability so easy to exploit and so severe would happen that it would cause Google, the OEMs and the carriers to all sit down and rethink how security updates are handled. I think it will take something like this before they get serious about it.
  • They got me and I'm pissed. Posted via the Android Central App
  • If they really got you, then you would not know it in the first place,that is unless it was RANSOMWARE. Which then,you would not have been able to post via the AC app in the first place! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • If you turn off the following settings in your messaging app/apps on your device: Auto-retrieve MMS. Check to automatically retrieve multimedia messages that you receive. If auto-retrieve is unchecked in your Messenger MMS settings, you must touch Download to view the message. Roaming auto-retrieve. Check to automatically retrieve multimedia messages while roaming. Then when you receive the text with this exploit it will not download to your phone unless you hit the download button. So looks like this can be turned off without a patch but patches are needed cause not everyone is smart enough to turn these off.
  • You mean not everyone is smart enough to read tech blogs so that they know to turn these off. Seriously, you didn't have to insult people.
  • I didn't insult anyone, all I said was some are not smart enough to turn these features off and that's why the patches are needed.
  • Thanks for the fix. We can move along.
  • As Phil likes to downplay scary things for all those not fortunate to have all the latest and greatest Android devices, I'll say this, the unknowns ARE NOT being ignored,as this is part of a presentation at Blackhat USA 2015 And was responsibly disclosed to Google. They announced this to generate interest in their upcoming presrentation. If anyone is playing around here,it is Google who should be talking more about how to stay safe,as they were responsible for the bad code in the first place! These researchers provided the patches to Google even,and Google used them! To make fun of these security specialist is tantamount to blaming the messenger,and in bad taste for Phil to ridicule them. But why should he care,he is always going to have the newest devices. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Agreed. Phil's good at reviewing phones, not security issues. Another way to mitigate against the risk is to use TextSecure. It will automatically download the media but you can't play or view any media without clicking through a warning about playing media insecurely.
  • So, these people at Zimperium are all nice guys. What if someone else have found this hack in the past 5 years?
    Security matters. Maybe it's time to try a Windows phone.
  • Made me laugh. Thanks for that.
  • The corresponding module in a Windows Phone is likely a WinRT component written in C++. C++ collections are far more resilient against this sort of thing than C's manual memory buffering. Perhaps laughing is not the wisest thing to do.
  • Dan wasn't laughing about the tech aspect of the security. He was laughing at the concept that anyone actually WANTS a Windows phone. You tech nerds really need to lighten up. We love you, but your sense of humor is severely lacking.
  • What I'm a bit confused by is the fact that it apparently has different impacts on Hangouts and Messages, which suggests that the attack vector is necessarily through the application layer. (Rather than, for example, something in the firmware-level handling of MMS.) If that's the case, why can't an application-level update (whether to Hangouts or to Play Services, which Hangouts depends on), at least block offending messages? Heck, if the bug is actually a remote root exploit, one would think that a Hangouts fix that simply stripped *all* embedded video from MMS on any device that can't be confirmed to have been fixed would be a prudent (hopefully temporary) safety measure, even though it would remove functionality from the phone in the interim.
  • Hi, The Verge has a piece two hour old that does a good job of updating the goings on. One Telco in Europe has taken to blocking auto downloads of videos. See my post above for lots more,including links. It's in the replies to the first posted on this thread. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • So should be people stop using Hangouts? Could we get some answers please! Posted via the Android Central App
  • In Hangouts settings turn off auto retrieve MMS. Then you would have to manually elect to download a potentially infected video.
  • Blackberry's security adopted by Samsung couldn't be out soon enough. Never had security issues like this when I was with BlackBerry, ever. Common Google get with it. Posted via the Android Central App
  • Very true. My rotary phone I used to use never had security issues like this either.... Come on Google, get with the times... switch to rotary phone technology.
  • Looks like you have no idea what BlackBerry 10 is and missed that 2010's BlackBerries are not 2015's... Samsung asked BlackBerry for help with their KNOX security for enterprise. It's not only about dollars and size, but know-how as well. See Apple, Google and Samsung - still haven't caught up with the level of security provided by now tiny BlackBerry Ltd. Quite some snarky comments in this part of Mobile Nations.
    :-)
  • Yea, no snarky comments or attitude over on the crackberry blog comments at all, especially when it comes to other os's. They are very open minded and accepting of everything, there. I actually try not to read the comments there very often because of all the hate and arguing.
  • I am new to the Android platform I came from Blackberry this is irony, but I have Macfee Mobile Security on my G4, and I will look at the messaging system, but , I think Google should knock on Blackberries door, in the perfect world I would love to install Blackberry 10 on a Android phone, maybe one day that could happen, but that was my worry about Android was the lack of security on the Android system, this is something that Android must improve,
  • Google should knock on Blackberry's door? Um ok... Blackberry used to own the smartphone space... and now they own virtually nothing. I don't think Google needs to knock on Blackberry's door any time soon...
  • in terms of security Blackberry is well known for their security on their systems, if you could blend the two together you would have a impressive system,
  • Samsung did.
    For their KNOX system... :-D
  • Why would you have an AntiVirus to begin with on Android... Posted via the Android Central App
  • He's new to android, and over on blackberry forums, that's all they talk about. Security and android being nothing but malware, like it's all coming out of Google play store. When it comes from people installing apks from unknown sources, or allowing it to install from questionable websites they are on. Just unaware of the security settings...
  • I cared that in one sentence ..you wrote " to to google phones."
    Did the editor n chief write this? I just want my voicemail icon to go away. Thought id snoop around here while waiting for a fingerscrossed reaponse. Ok. . Anyhow... ya ya ill look out for this defect beta video player. Mmb
  • Hi,click on the voicemail icon to open the app,then hit the back arrow top left of screen. Done. Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • Maybe I will finally get ONE update for my phone ... I think I received ZERO updates in the past 12 months. Android, open source, blah blah. At the end of the day the user gets nothing.
  • This is what? The third or fourth time Phil has downplay a security exploit on Android? Perhaps his points are valid, but after so many times, you start to wonder if he actually has the readers best interest or just continually defending Android
  • Many security exploits are *massively* overplayed by the general blogosphere, because anytime they can put "Android" and "vulnerability" or "malware" into the same sentence, they know it will get massive clicks.
  • Perhaps it should be named 'Skynet' instead of 'Stagefright' It's aware.....
  • According to Android Police, Google will push out a patch for this next week for Nexus devices. http://www.androidpolice.com/2015/07/28/google-representative-promises-a...
  • I have a question that i hope someone can answer. Ok so my galaxy s6 edge got a txt from one of my family members that was a download. I downloaded it and boom! GONE the thing was gone. I asked the person what they had sent me and they said they didnt send me anything. At the same time i got TONS of the same txt messages with the download from other contacts?!? I tried 8 antivirus programs and they all found nothing! I am pretty sure that someone is using the stagefright exploit for malicious software that is undetectable. Is there a fix?????????? ANYTHING PLS.
  • Odds are, you did not get infected with anything.  Even if something did get installed, it would still show as an installed app, and should be detectable by something like Lookout.  If you're *really* worried, do a factory reset and then reboot to recovery and wipe data.  Unless your phone seems to be behaving strangely (battery dying faster than usual, warm when it shouldn't be, or chewing up more data that you can't account for) the odds that you have been infected are actually pretty low.
  • I just talked to Verizon Tier 2 support. They haven't heard of the Stagefright bug, so can be of no help. Also, there is no way I can determine to know when Google pushes out a patch for any of their Galaxy, Note, or other phones. To help mitigate the problem, I've (1) disabled 'Auto Retrieve Messages' on the stock message app with Samsung (Note 4,5.0.1) but neither Verizon or I can figure out how to (2) 'Block the reception of text messages from unknown senders'.
    Any suggestions ??
  • Hi, there are some security apps that I believe can block sms unknowns. Look at Avast mobile security,it's free,ad free,and feature rich. I've been using it for quite some time. Love it! Posted via the Android Central App, HTC Evo 4g LTE ,on Sprint
  • SMS isn't an issue, only MMS.
  • Every platform has issues, but the tell-tale here is how the issues are dealt with and fixed (or not). The stagefright vulnerability is serious, widespread, and can be triggered remotely. All together should be of great concern. We need folks to understand how the carriers and manufacturers are actively working to *screw* Android users by ignoring serious security issues if a phone is older than a year or two. This is a big issue and Stagefright is an excellent proof case for how the Android security update process is BROKEN. As has been said, it seems the only way to fix security issues with Android is to buy a new phone every time a bad vulnerability hits. *THAT's* got to stop. Part of this is having our Android Experts to step up, point out, rant out, and generally make a ruckus until this messy and dysfunctional process is fixed, instead of just trying to distract folks and tell them, really, it'll all be OK. @Vikkideane... Verizon's not even *heard* of it? just more proof....
  • WiseCraig,
    Totally agree. 3 hours on the phone with Verizon TIER 2 technican and absolutely NO SOLUTION. Their solution, wait for a software update.
  • Honestly, the software update issue goes beyond Android. All platforms (excluding iOS) are at the mercy of Carriers and OEM's. Both (but most notably the carriers) have a habit of deciding not to update phones, no matter how important the update is. They would much prefer you just buy a new phone. I really wish carriers didn't play a role in the process, but unfortunately they do.
  • +1000 via AC App
    on VZW Moto X 2014/2013 DE/N7
  • My ATT Note 4 is downloading the patching update right now, stay tuned for results!
  • I've been tuned for 3 hours, can I untune yet :)
  • Probably! It did take over 90 Minutes to DL and then install, including converting all 300+ apps. So far it seems to work ok.
    You may now return to you the soap opera this special bulletin interrupted.
  • :)
  • What type of exploit would keep the AC staff up at night?
  • Probably one that could actually be used, and had actually affected anyone.
  • So being on cyanogenmod nightlies I am already protected against stage fright bug?
  • Yes
  • Does this hack allow us to see more nude pics of celebrities? ???? ?÷) Posted via the Android Central App
  • Can the exploit be used from anyone sending MMS? Or does it have to be the hacker that is sending it?
  • I think the hacker has to specifically send you a bad mms. Don't think it works by just anyone sending you one. So basically the hacker needs your number and needs to send you a bad mms. Best think disable auto retrieve mms and if you do get a mms from a number you don't recognise just delete it. Posted via the Android Central App
  • Why would the hacker have to know your number specifically? Wouldn't some kind of robocall-like algorithm allow a hacker to spam thousands of numbers automatically? Presumably there'd be a cost issue, but I doubt if this would be a problem for your truly malicious and capable hacker. Until this is fixed I'd rather it were possible to allow messages only from certain numbers. But I don't see a way to do this in any of the messaging apps I've looked at.
  • Well basically if the hacker doesn't have your number or your number ain't in a database the hacker is using your safe. Basically your number is needed for you to recieve the corrupt mms. Depending on the sms app you use you can block messages from numbers you don't know or from unknown numbers. Posted via the Android Central App
  • Basically good advice. The only broader thing to think about is if any issue like this comes up, they could start sending to blocks of phone numbers. In the US (at least), there are pretty predictable large blocks of sequentail phone numbers that have been assigned to each carrier. Now with porting, they have mixed up a bet between carriers, but they are all still *cell* numbers and could be targeted.
  • So, sort of like the plot in Bad Apple? (Bad MMS!)
  • While Android is great at making phones because of its features, they are sorely behind in terms of security and the mechanism in delivering its security updates. I recall that Microsoft is the butt of all jokes in terms of security in its Windows XP and Internet Explorer more than 10 years ago. Microsoft stepped up in removing bugs and exploits. Now people don't complain about security issues with Microsoft's software. Let's hope that Google has some kind of mechanism in place in terms of patching its exploits for its phones so it won't be the next Microsoft.
  • Really? My department handles security and virus threats for about 19,000 devices, most of which are running Windows. It's a daily battle, and it goes on regardless of whether or not you read about it on the internet. There's a lot going on that's not published, and a lot of it is worse than this stagefright exploit. Posted via the Android Central App
  • Headlines like "Windows vulnerability" don't get clicks anymore, so no one bothers writing those articles.
  • Motorola: silent as usual.
  • media.stagefright.enable.****=false There. Fixed on my phone. Posted via the Android Central App
  • I don't know if this will help, but Verizon updated Samsung (don't know about other brands) Android 5.0.1. Supposedly, this update fixes A LOT of the problems in the previous version. However, Verizon says they still don't have a fix for Stagefright.
  • Guys, if you jump into the sun, you'll get burned. No one's ever done it though, so we're gonna have to shackle everyone to the earth, for security.
  • relax...
  • Yeah, everyone *RELAX*.
    This was such a minor issue that Google, Samsung, and others had to INVENT whole new processes to provide monthly security updates.
    Naw, really... they were going to do it anyway, cuz they're such forwarding thinking, screw profits, kinda people.
  • Its all new to me, I'm just learning this shi... I'm tech illiterate so if the bugs in my
    pants i wouldn't know!
  • Here is a blog post from the guys that made this exploit publicly available: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright... It shows how this exploit is applied "in action". Also, there's a link to an app in the play store that will tell you if your phone is vulnerable.
    Btw. my HTC One M7 with latest lollipop is vulnerable. Now, you decide how serious this is...
  • I would be interested to see a better explanation of how they got through the sandbox (you see them running as "media" initially) and how they got around ASLR.  The number shown in the demo is registered to "Bandwidth.com" in Austin, TX.
  • Lookout saw my note 4 not vulnerable but then I used Stagefright Detector from Zimperium it saw vulnerability after my tmo update today. So who is right and who is wrong
  • Zimperion says that there are 6 separate ways to exploit this bug.  The Lookout detector is only looking for 3 of them.
  • The app says that my nexus 7 2013 is vulnerable even though it has the patch Google pushed out. Posted from my nexus 7 2013
  • So if Samsung are pushing out monthly security updates, why has it now been 3 weeks since the 925F got a new update, and I'm still waiting for it on my unlocked 920F? Posted via the Android Central App
  • AT&T pushed an update last night to my Samsung Galaxy S3. I ran the app and confirmed it's good now.
  • Added info on Stagefright: All devices running Android 4.0 or higher are already protected by other mechanisms within Android for all known attacks that this vulnerability has available. What these updates will do, is eliminate the potential of this vulnerability to capitalize on potentially unknown applications that this bug could take on - however there is nothing to indicate that this ever impacted a single device. The number of impacted devices listed in the whitepaper and ensuing response from Google's engineering team was 0. The volume of devices deemed at risk was estimated to be below .08%, though Google stated in another publication that it could have been as high as .15% of devices. The devices actually at the highest risk are devices with more than .5 GB RAM running android 2.3.3 to 2.3.7 Gingerbread APIlevel 10 on phones and 3.0 Honeycomb to 3.2.6 (API levels 11 through 13) on Tablets, GoogleTV and other devices with more than 1 GB RAM and are MMS capable (you can imagine this is a tiny number of devices).
  • Google despite its vast resources didn't find Stagefright (SF) which you trust. If I remember correctly SF has the ability to completely delete any trace that it was ever within an Android phone. So, how does Google, you or anybody else detect how many Androids' phones have been compromised, especially when security services is probably either; using it or a modification of SF? To claim that the number of phones at risk is less than .16% must be balderdash because most phones weren't being given the update in the past and probably still aren't being given proper protection against SF. If the SF problem have been solved then why is Google it appears will be providing security updates evewry month (if they keep their words for I assume) all their 4.0+ devices? If Google's first patch actually protected Androids' phones then why was a second SF patch required when the first patch didn't work? How many devices are at highest risk especially when you claim that Google have solved SF problem? List also all devices Android 4.0 that never got what you clamed to be the perfect patch against SF which wouldn't be protected? Provide the links where it is actually verified that Google have actually solved the SF problem with; name, model number operating system used with the date for each (day, month & year) etcetera?
  • Thanks for the article! It's a great read! Finally, a new version of Andoid is here! Netflix app, Hulu, BBC is great on Android. If live outside USA, you can use tools like UnoTelly to get Netflix, Hulu, BBC on your Android.
  • https://vid.me/bJSO SF info that those fucktards leaked.... It's like a rape....
  • https://vid.me/X5lA Part.End ... My Avast scanner founded SF in the detector app,,,
  • It's good to know. Some apps are available in Google Play to detect SF like Norton Halt.
  • So what if we didn't download the software update at all?
  • Youre probably far SAFER than the updated folk.... after all, Stagefright the potential exploit is one big SMOKESCREEN --- Android being chock-full of actual, heavily targeted exploits, and getting worse with each update. Its really quite unpleasant how they blow this out of proportion, while the pushed 4.xx >> 5.xx update totally messed up a few apps, hijacked memory card permissions in the name of "security" (read: we couldn't figure out how to do it so we just disabled it), allows forced-disabled and notifications-off apps to sneak themselves back on etc etc... Add to that how Google Chrome (and the nameless 'Browser', though I am not sure if thats a stock Google or a Samsung app) are stuffed full of security holes like swiss cheese, and even enabljng them for a couple hours will invariably lead to a Google Play Hijack that forcibly pops up buy-me pages for dodgy games on Google Play while youre in the middle of something else.... (disable browser, uninstall chrome, reinstall play to fix, then use dolphin or skme other browser) Besides, the whole 'pushed updates despite being disabled' thing IS the major exploit in android... fortunately, keeping main storage space <500mb will make updates fail every time due to another silly bug
  • i am sharing my family testimony with joy and hopes that you will also use get your own cures from the best herbal doctor...i was sick from the disease Ephysema,i had to stop my work and cut all contact from friends,for long i searched for possible help to get cured.until i came across a blog testimony the herbal cures dr felix provide,i contacted him through his email: OGUNAMENHERBALCENTER@YAHOO.COM with my problem,he prepared herbs sent it to me,i used it with his instructions then i went for my weekly test,my tests result came out negative.
    Recently dr also saved my sister,she was having warts infections all over her body,it was itchy and reddish, i quickly contacted dr felix,he sent us some herbs to use and now everthing is clear from her skin.why struggle with any sickness and infections when all can do is contact dr.felix, his email: OGUNAMENHERBALCENTER@YAHOO.COM he will help you with his genuine and certified herbs.
    Thank you dr felix.
  • Proper dates should be given: day, month and the year or month, day and year. From what I can remember the first patch by Google was useless but Google claimed that they had no proof that any hacker actually used it, when Stagefright could probably and literally delete any trace that it had penetrated any Android smartphone 2.2+ version. Therefore don't have much faith in what Google have to say because they knew for a long period that the first patch was useless. Whenb millions and probably billions of pounds sterling UK pounds are carried out globally and Google are claiming that an hacker wouldn't take advantage of probably the most dangerous Trojan against Android in history is balderdash. At the Black Hat conference in 2015 any competent hacker would then know about Stagefright whilst Android customers weren't being protected. What is needed is that all Android smartphones' customers should be able to get preferably monthly updates - 2 years supply of security is completely useless. Probably better better value for money to buy a top of the range iPhone if they came with USB storage option. Back oin 2015 I thought that Stagefright Detectors were useless because there probably doesn't appear to be patches to solve the Stagefright problem. I also want (a table or a list) to know the names, model numbers and which operating systems have and will be protected and to what extent there is protection against Stagefright.