Stagefright

Unless you’ve been living under a rock over the last week or so, you’ve heard about the Stagefright vulnerability on a supposed 90% of Android devices. Stagefright is a multimedia library that exists as part of the Android Framework; just over a week after the initial threat emerged, the details of the exploit along with a demo video and a tool to check if your device is vulnerable have emerged.

The video shows that as soon as an MMS is received, shell access to the targeted device can be obtained. Followed by execution of the specific exploit (run as a media user) and voila; root access to the device is achieved in a matter of seconds without the need for the user to actually open the malicious MMS. Its a very scary potential for someone to obtain root access to your device, particularly without you even knowing about it.

As mentioned in our original article about the vulnerability, there is a way to protect yourself to minimise your risk by simply disabling the automatic download of MMS and some third party messaging apps claim to offer Stagefright protection.

The security firm Zimperium Mobile Security, formed the Zimperium Handset Alliance earlier this month (perhaps as a reaction to the Stagefright vulnerability) to make threat mitigations on various platforms and fixes for the exposed vulnerabilities available sooner across the spectrum of manufacturers and handsets. On their blog, Zimperium state that they’ve launched the ‘Stagefright detector App’ for Android users to test if their device is vulnerable. The app is available for download on the Play Store, hit the link below if you’re keen to check on your devices potential vulnerability.

Stagefright Detector
Stagefright Detector
Developer: Zimperium INC.
Price: Free

Is the Stagefright vulnerability a serious threat to Android security, or is it just another storm in a teacup?

Source: Zimperium Blog.
2 Comments
newest
oldest
Inline Feedbacks
View all comments
Martin Dolan

I’m patched and it says vulnerable. It’s just a scam app to get you to use their services.

Level380

Don’t bother installing, the app comments says it still reports a patched nexus as faulty. Seems all devices fail the test.