Mobile security biz Zimperium reckons 600 to 850 million Android devices are still vulnerable to a Stagefright flaw that lets webpages and videos inject malware into phones and tablets.
Stagefright is a software library buried deep within Android that processes multimedia files. It is used by a key Android component called mediaserver, which runs with higher access to the device than normal apps.
When Stagefright is fed specially crafted video files, such as from a text message or website, these bugs can be triggered and exploited to run malicious code on the victim's gadget. This code can turn the phone or fondleslab against its owner, by spying on their passwords and photos, and so on.
Browsing a dodgy webpage hosting a booby-trapped MP4 video can, theoretically, be enough to start the hijacking process.
Although Google continuously and quietly pushes software updates and many security patches to about 90 per cent of active Android via its Google Play Services app, low-level bugs like those in Stagefright cannot be squashed without installing new firmware from Google.
And there lies the rub. Because these firmware updates have to be signed off by manufacturers and mobile networks before they can be installed, potentially hundreds of millions of Android devices remain unpatched and at-risk because fixes aren't distributed in a timely fashion – or at all. (Nexus devices are the exception: they can install Google's firmware updates via the Play services.)
Zimperium, which disclosed the first Stagefright bug in 2015, believes the number of vulnerable gizmos is higher than others fear due to tardy updates and versioning chaos.
In some cases, Android updates exposed users to risks that they were already patched against. For example, 5.1.1 is more vulnerable than 5.0, and 5.0.2 is more vulnerable than 4.4.4.
The state of patching in the fragmented Android marketplace is dependent on the device model and its manufacturer and the country the owner lives in. According to Zimperium, some countries are safer than others – in many there was almost no patching. In some countries, more than 70 per cent of Android devices are still vulnerable.
In all, as many as 856 million devices are still vulnerable to Stagefright bug CVE-2015-3864 – which was disclosed and patches released last year – according to Zimperium.
Exploiting Stagefright is far from trivial, but not impossible once you defeat Android's ASLR protections. Zimperium warns that once a generic exploit is public, the vulnerability might be harnessed to spread a worm, most likely through links to malicious websites spread via SMS, MMS or IM.
Carriers and instant-messaging services should be prepared to block chats with evil links to forestall such a spread, according to Zimperium. The company's reflections on the state of Stagefright patching can be found here. ®