Skip to main content

Now Anyone Can Exploit Android's Stagefright Flaw

Stagefright is an Android security vulnerability that sounds scary on paper, but most Android users didn't exactly worry about getting bitten by it. That was fine until yesterday (Sept. 9), when Zimperium, a mobile-security firm based in Tel Aviv and San Francisco, publicly released the code needed to take advantage of the flaw.

Zimperium, which disclosed the existence of the flaw more than a month ago, claims the exploit code was released "for testing purposes," but its move does endanger most Android devices. So why did the security firm make this code public? Because Google has had months to fix the flaw (the company was privately informed in April) and yet its patches have been piecemeal and largely unsatisfactory.

Zimperium's thinking -- and this view is common among security researchers -- is that lighting a fire under a software company's behind will force the company's security team to more quickly push out a comprehensive solution to a bug.

MORE: Best Antivirus Protection for PC, Mac and Android

In the case of the Stagefright exploit, the code is especially dangerous. With it, all one needs to hack an Android phone is the phone number attached to it. Until Google releases a fix, merely reading a maliciious MMS message will give the hacker significant access to the device. The Stagefright software library, part of Android's default media playback engine, processes the multimedia message, which triggers embedded code that hands control over to the attacker.

Android 4.1 Jelly Bean and up seems to be less vulnerable to Stagefright attacks, due to how the OS separates application data, and Android 5.0 Lollipop and up is largely immune. As of this past week, pre-4.1 devices account for roughly 8 percent of Android devices that connect to Google Play, although this excludes millions of Android devices, such as Amazon's Kindle Fire line, that do not use Google-branded apps.

While Google worked with Zimperium's Joshua Drake to issue a patch, that process is still not complete.

Zimperium says that an "additional update is required" and that "this issue represents a significant risk to the ecosystem."

It remains to be seen whether Zimperium's release of the exploit code will speed it along.

The code is far from a universal hacking tool, though. Zimperium says it has "only tested it to work on a single device model," a Nexus device running Android 4.0.4. The exploit also attacks a vulnerability that Zimperium says was "neutered" by code in "Android 5.0 and later."