Now Anyone Can Exploit Android's Stagefright Flaw

Tom's Guide / Henry T. Casey

September 11, 2015 at 5:00 PM

Stagefright is an Android security vulnerability that sounds scary on paper, but most Android users didn't exactly worry about getting bitten by it. That was fine until yesterday (Sept. 9), when Zimperium, a mobile-security firm based in Tel Aviv and San Francisco, publicly released the code needed to take advantage of the flaw.

Zimperium, which disclosed the existence of the flaw more than a month ago, claims the exploit code was released "for testing purposes," but its move does endanger most Android devices. So why did the security firm make this code public? Because Google has had months to fix the flaw (the company was privately informed in April) and yet its patches have been piecemeal and largely unsatisfactory.

Zimperium's thinking -- and this view is common among security researchers -- is that lighting a fire under a software company's behind will force the company's security team to more quickly push out a comprehensive solution to a bug.

MORE: Best Antivirus Protection for PC, Mac and Android

In the case of the Stagefright exploit, the code is especially dangerous. With it, all one needs to hack an Android phone is the phone number attached to it. Until Google releases a fix, merely reading a maliciious MMS message will give the hacker significant access to the device. The Stagefright software library, part of Android's default media playback engine, processes the multimedia message, which triggers embedded code that hands control over to the attacker.

Android 4.1 Jelly Bean and up seems to be less vulnerable to Stagefright attacks, due to how the OS separates application data, and Android 5.0 Lollipop and up is largely immune. As of this past week, pre-4.1 devices account for roughly 8 percent of Android devices that connect to Google Play, although this excludes millions of Android devices, such as Amazon's Kindle Fire line, that do not use Google-branded apps.

While Google worked with Zimperium's Joshua Drake to issue a patch, that process is still not complete.

Zimperium says that an "additional update is required" and that "this issue represents a significant risk to the ecosystem."

It remains to be seen whether Zimperium's release of the exploit code will speed it along.

The code is far from a universal hacking tool, though. Zimperium says it has "only tested it to work on a single device model," a Nexus device running Android 4.0.4. The exploit also attacks a vulnerability that Zimperium says was "neutered" by code in "Android 5.0 and later."

Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Sports
Yahoo Fantasy staff's Mock Draft 1.0: Shocking picks are plentiful
Teams have made their big splashes in free agency and made their draft picks, it's time for you to do the same. It's fantasy football mock draft time. Some call this time of year best ball season, others know it's an opportunity to get a leg up on your competition for when you have to draft in August. The staff at Yahoo Fantasy did their first mock draft of the 2024 season to help you with the latter. Matt Harmon and Andy Behrens are here to break it all down by each round and crush some staff members in the process.
Yahoo Finance
Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'
Ryan says he would be writing in a Republican candidate instead of voting for Donald Trump.
Yahoo Sports
Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from
With free agency and the draft behind us, what 32 teams look like today will likely be what they look like Week 1 and beyond for the 2024 season. Matt Harmon and Scott Pianowski reveal the post-draft fantasy power rankings. The duo break down the rankings in six tiers: Elite offensive ecosystems, teams on the cusp of being complete mixed bag ecosystems, offensive ecosystems with something to prove, offenses that could go either way, and offenses that are best to stay away from in fantasy.
Yahoo Sports
Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1
It’s key to note that we’re not saying the “best team” or “best roster.” Instead, we’re talking about the best confluence of factors that can outline a path for survival and then success.
Yahoo Sports
Golf’s moment of truth is here, and the sport is badly flailing
Nonexistent negotiations and missed opportunities for reconciliation between the PGA Tour and LIV Golf have the sport stuck in place.
Yahoo Sports
Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing
The Cardinals' nightmare season continues.
Yahoo Finance
These 3 stocks are poised to benefit from the massive energy transition
The energy transition will benefit companies providing electrical needs for surging demand. Analysts point to these three stocks as a Buy.
Yahoo Sports
Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap
Jake Mintz & Jordan Shusterman discuss the Padres-Marlins trade that sent Luis Arraez to San Diego, as well as recap all the action from this weekend in baseball and send birthday wishes to hall-of-famer Willie Mays.
Yahoo Sports
2024 NFL Team Fantasy Football Power Rankings, 1.0
With NFL rosters pretty much set before training camp, Scott Pianowski reveals his first set of team fantasy power rankings for the 2024 season.
TechCrunch
Nintendo finally confirms the Switch 2 is on the way
In the most anticlimactic way possible, Nintendo on Tuesday confirmed years of rumors: The Nintendo Switch 2 console is on the way. "We will make an announcement about the successor to Nintendo Switch within this fiscal year," wrote Shuntaro Furukawa, the president of Nintendo, on X. Rather, Furukawa wanted to warn users not to expect the actual announcement in next month's Nintendo Direct livestream.
Yahoo Finance
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
Engadget
The best budgeting apps for 2024
Budgeting apps can help you keep track of your finances, stick to a spending plan and reach your money goals. These are the best budget-tracking apps available right now.
Yahoo Sports
Pacers reportedly send NBA 78 missed calls by officials during Games 1 and 2 vs. Knicks
The Pacers identified 29 plays from Game 1 and 49 plays from Game 2 they did not agree with.
Yahoo Sports
NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks
Tuesday's last-2-minute report should be interesting.
Yahoo Sports
NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show
Every player was dressed to impress at the 2024 NFL Draft.
Yahoo Sports
2024 NBA offseason previews: Team needs, free agents, draft picks, cap space and more
The 2023-024 NBA season isn't yet over. A number of teams are still dreaming of championship glory. But for those that have been bounced from the playoffs, it's time to reassess and re-evaluate for next season.
Yahoo Sports
The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Now Anyone Can Exploit Android's Stagefright Flaw

Recommended Stories

The FDIC change that leaves wealthy bank depositors with less protection

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Former NBA guard Darius Morris dies at 33

Yahoo Fantasy staff's Mock Draft 1.0: Shocking picks are plentiful

Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'

Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from

Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1

Golf’s moment of truth is here, and the sport is badly flailing

Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing

These 3 stocks are poised to benefit from the massive energy transition

Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap

2024 NFL Team Fantasy Football Power Rankings, 1.0

Nintendo finally confirms the Switch 2 is on the way

Social Security just passed Medicare as the government's most pressing insolvency risk

The best budgeting apps for 2024

Pacers reportedly send NBA 78 missed calls by officials during Games 1 and 2 vs. Knicks

NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks

NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show

2024 NBA offseason previews: Team needs, free agents, draft picks, cap space and more

The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024