Articles about Stagefright

In the past few months, Android users have seen a series of attacks by hackers exploiting bugs, collectively putting more than a billion devices at risk worldwide.

In late July, Stagefright hit the news as a weakness in the system that was being exploited by hackers. This was followed by Stagefright 2.0 and Kemoge, making for massive malware attacks on Android phones in three out of the last four months.

Continue reading →

Holy cow, Google, what the heck is going on here? Android should have been a Utopian-like Linux-based operating system that was secure and available to all. Unfortunately, the only things being made available to the masses are vulnerabilities. Quite frankly, the search giant is giving Linux a bad name.

When the Stagefright vulnerabilities were made public, it really underscored how broken the Android update problem is. Hell, people like me -- longtime Android users -- switched to iOS as a result. A lack of operating system updates from both manufacturers and cell providers means many users are forced to live with vulnerable devices -- not acceptable. Today, new vulnerabilities dubbed Stagefright 2.0 are revealed, and most Android devices -- since 1.0 of the operating system -- are now at risk.

Continue reading →

Stagefright was one of the biggest and most worrying security vulnerabilities to be discovered in Android for quite some time. Affecting the mediaserver component, Stagefright allowed for the remote bricking of devices with nothing more than a message. Now a new, yet-to-be-named vulnerability has been discovered in the same component, specifically the AudioEffect element.

Known as CVE-2015-3842, the vulnerability allows a hacker to run their own code on a phone using whatever permission they want. Security researchers at TrendMicro discovered the vulnerability and explain that it can be implemented by simply tricking users into installing a specially-designed app that has no permission requirements and is therefore unlikely to raise suspicions.

Continue reading →

A lot of security systems are based on random numbers, prime numbers, or a combination of the two. But generating random numbers is not as random as you might expect -- or hope -- and it relies on sources of broadly random data that can be used as a starting point. The problem is that these sources of data are not large enough.

The entropy of data generated by Linux servers -- which are the backbone of much of the internet -- is, says security expert Bruce Potter, too low. Speaking at Black Hat USA 2015 -- an event which has already seen the unveiling of the Thunderstrike 2 firmware malware and the Stagefright-beating Certifi-Gate Android vulnerability -- Potter warns that the low entropy problem means that seemingly random numbers could in fact be easier to guess or crack than first thought.

Continue reading →

There have been numerous stories in recent days about the threat posed by Stagefright to Android users. A more serious threat has been revealed at Black Hat USA 2015, however -- one that affects hundreds of millions of Android devices. Known as Certifi-gate, a vulnerability has been found in Remote Support Tools which could allow for hackers to take full control of phones.

The security issue was discovered by Check Point, who has notified handset manufacturers of the vulnerability, and launched an app that you can use to see if your handset is affected. Stagefright led to many handset manufacturers announcing a switch to monthly security updates, and some have already issued a fix for Certifi-gate. However, it seems that HTC is a little slow off the mark this time around, particularly when it comes to patching newer phones.

Continue reading →

Stagefright took the Android world rather by surprise. As well as catching the industry with its pants down, it highlights a problem of mobile security: it's just not taken seriously enough. In response to the Stagefright vulnerability, both Samsung and Google announced new monthly security update cycles.

Not to be outdone, LG has now followed suit, and it would be surprising if we didn’t see more manufacturers of Android handsets doing exactly the same in the coming weeks. But in announcing its own monthly security update schedule, LG has highlighted another stumbling block for mobile security. Carriers.

Continue reading →

We've already looked at the Stagefright vulnerability, discovered by Zimperium, and shown what can be done to deal with it. Affecting up to 95 percent of Android devices, the vulnerability has led to Google and Samsung announcing monthly security updates.

Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.

Continue reading →