Android Stagefright – A Big Loophole Users Should Know About
What’s 95% of 1 billion? The answer is: that’s how many phones are floating around out there with a serious vulnerability that could allow hackers to just reach in and grab what they want.
This big cyberthreat doesn’t really have a name yet, but we know how it works – it uses a media processing tool called StageFright that’s built into Android phones, and this astounding security flaw has experts really deeply concerned.
In this type of theoretical attack, hackers would send a video to an Android user’s phone. The StageFright application would start working on the video to process it for viewing, while an embedded piece of malicious data would take hold on the device and allow the exploit.
In other words, you get a video in a text message, but the malware will be hidden inside of the video. In some cases, the malware would start to work as soon as the text was sent, before any kind of action by the user. And that’s part of what’s troubling security experts.
Feedback on the StageFright Vulnerability
Bruce Schnieier at Schneier on Security is calling this cyberthreat “a bad one” pointing out that on some phones, full privilege access will be hard to protect against, for example, that Google Hangouts can actually expedite or more fully allow this kind of hack, and that these types of activities could be replicated. Schneier also points out that Android platforms are relatively tough to patch, adding to the concerns everyone has about when this loophole would be fixed.
Other venues for cyber security news, such as Naked Security, are also touting the dangers of the StageFright problem. While admitting that these sort of attacks have happened yet, a poster on the Naked Security blog suggests that there are a number of factors that make security critical — that these types of malware would allow “shell code” to take control of the device as soon as the message is downloaded, a process called ‘remote code execution.’
The details of this particular vulnerability, and the concentrated anxiety that it is producing, will rank it right up there with Heartbleed another major bugs of today’s highly scrutinized digital age.
Google’s Bug-Finding Program
Everyone acknowledges that as a platform, Android is tougher to maintain. It’s made that way for a reason – Android users get access to more private developer apps, and less of a “walled garden” than Apple users, but their freedom and the universality of their devices comes with these sorts of dangers as a tradeoff.
To try to fix this, Google has come up with a program called Android Rewards that helps give people incentives to help make security fixes for Android devices. The powerful one-two combination of monetary rewards and public recognition should provide incentives for individual developers and other users to pitch in to fix the kinds of security problems that are now plaguing the Android community. Monetary awards range up to $2000, and Google is hoping that these bounties help them corral some of the nastiest bugs out there. In the meantime, Google needs all hands on deck to deal with the StageFright vulnerability up front, and get these phones closed to hackers. Because that’s a lot of phones, and because the automatic nature of the execution is extremely scary and because companies that don’t provide safe platforms are going to lose the mobile wars of tomorrow.
Of course, adding another layer of security doesn’t hurt, so check out our article on the best VPNs for Android.