Skip to main content

Stagefright" media playback engine

There's a scary-sounding story going around this morning about the "worst Android vulnerability in the mobile OS history!" (Exclamation point theirs, not ours.) The gist is that malware could be embedded in a video, which theoretically could be exploited without you doing a single thing. And, oh, just about every Android phone is vulnerable.
                                 

So should you worry? Let's discuss.

What is it?

Details are mostly being withheld publicly until the Black Hat conference next week in Las Vegas, but the gist is that malware theoretically could be embedded in a video file. And that video file could then be sent via MMS (text message) to your phone. The exploit comes into play with Google's (now regrettably named) "Stagefright" media playback engine, which was introduced in Android 2.2. And if you use a text messaging app that goes ahead and prepares that file for you for viewing — as Google Hangouts does, according to the example — your phone is potentially vulnerable, should a rogue video be processed.

Who found this exploit?

The exploit was announced July 21 by mobile security firm Zimperium as part of an announcement for its annual party at the BlackHat conference. Yes, you read that right. This "Mother of all Android Vulnerabilities," as Zimperium puts it, wasannounced July 21 (a week before anyone decided to care, apparently), and just a few words the even bigger bombshell of "On the evening of August 6th, Zimperium will rock the Vegas party scene!" And you know it's going to be a rager because it's "our annual Vegas party for our favorite ninjas," completely with a rockin' hashtag and everything.
So, ya know, it's serious. Or something.

How widespread is this exploit?

The short answer is we don't really know. Any exploit that potentially affects any device back to Android 2.2 is absolutely no bueno. The Stagefright media engine is deep down in the Android OS. You don't want to see anything exploiting it. Zimperium apparently alerted Google in April and May, proposed patches, and Google accepted them. What we don't know is whether the fix has been pushed to to Google's phones (the Nexus line), or if any manufacturers have pushed out the fix on their end. (We wouldn't put money on it, though.)
The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person.

So should I worry or not?

Make no mistake about it: This is a bad exploit. And it further highlights the difficulties of getting updates pushed out through the manufacturer and carrier ecosystem. On the other hand, it's a potential avenue for exploit that apparently has been around since Android 2.2 — or basically the past five years. That either makes you a ticking time bomb, or a benign cyst, depending on your point of view.
And for its part, Google told Android Centralthat there are multiple mechanisms in place to protect users.
"We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.
Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device".
For more on how that works, read our Q&A on security with Google's Adrian Ludwig.
This is an exploit that needs to be fixed, sooner rather than later — if it hasn't been already. But it's not one that's going to keep us up at night. There are a lot of unknowns, and unfortunately they're being ignored for the sake of scary-sounding storytelling.

Comments

Popular posts from this blog

Create Your Own Mobile App Free Without Coding

If you want to make your own app for your business or to make money online, but you don’t have the coding skills, then even mobile app development is now not a nightmare. Believe it, you have no need to be an expert of HTML 5, iOS SDK, Java and many other programming and scripting languages to build your own mobile app. Here list of free website for creating online iPhone,Android,blackberry & Windows App (1) AppsGeyser (2) AppyPie (3) IBulidApp (4) AppMakr (5) Buildfire (6) Appyet

E1 Camera. 4K UHD interchangeable lens camera

About Z Camera Z was founded in March, 2013 by a vibrant team of digital imaging and information technology experts. We love to dream, create images, create video and push the boundaries of electrical engineering. Our goal is to separate ourselves from traditional photo and video products by rethinking things from the ground up. “After spending years in the camera industry, I realized that most companies are much more interested in cutting costs of their current products than investing in developing new ones and listening to what people want," said Jason Zhang, engineer and creatorGoPro has made millions selling its mini cameras to the adventurous among us. Of course, thrill-seekers aren’t the only ones interested in what the company has to offer. There are no doubt a number of people that have opted for a GoPro primarily due to its compact nature. For those buyers, a GoPro is a good – but not great – option due to the limitations of its form factor. If a versatile, small f...

Browse Two Different Facebook Account/ID In One Browser

This is simple trick and work for all Browsers having incognito/private  mode.First you known few thing about that. What's incognito /Private mode ? If you don’t want browser to save a record of what you visit and download, you can browse the web in incognito mode. How incognito mode works ?   Incognito/private  mode opens a new window where you can browse the Internet without browser saving the sites you visit. You can open many tabs in incognito mode and navigate back and forth between the pages you visit. When you close the tabs, It won’t save the sites you’ve visited. Be careful, because the websites you visit, your employer, or your service provider can still see your browsing activity, even in incognito mode. It won’t save a record of the files you download in incognito mode. However, the downloaded files will be saved to your computer’s Downloads folder, where you and any other users of your computer can see and open them, even after you clos...