The researcher who discovered Stagefright last year has revealed that even a year later and with all the attention that the vulnerability attracted, millions of Android devices are still vulnerable to it.
Joshua Drake discovered the Android Stagefright vulnerability last year, revealing how Android devices were susceptible to a remote attack that could allow the hacker root access and run all kinds of malicious code on victim devices. Almost a year after the discovery, he has revealed that millions of Android devices are still vulnerable to Stagefright.
The Android Stagefright vulnerability exploited a flaw in the Android video playback library, which would allow a buffer overflow when an MPEG4 video file would be played. The hacker would then be able to run malicious code due to the escalated privileges he or she obtained. However, the most troubling news about this vulnerability was the ease with which it could be exploited.
All an attacker needed to do was send a specially constructed multimedia message to the victim’s device, and he could then exploit the Stagefright vulnerability. Unlike other spear phishing attacks, Stagefright does not require any interaction from the user. Since Android phones open multimedia messages automatically, a user could be attacked without even knowing it.
For all they know, their device could be attacked, and traces of the attack be removed while the phone remains in the locked state, leaving the user with a trojaned phone.
Stagefright was reported to have affected over a billion Android devices. Google, as expected, began working towards sorting this mess as soon as possible. They quickly released updates that took care of the Stagefright vulnerability and patched another hundred or so libstragefright or mediaserver related vulnerabilities on Android.
However, after close to a year has passed since the discovery of Stagefright, almost 850 million Android devices are still vulnerable to Stagefright. This is because the security updates and patches rolled out by Google have not reached all devices and Android versions. Old devices for which newer updates are not available are beyond help in this matter, but the worrying factor is that people running newer devices do not take security updates as seriously as they should.
Since its release, only 13% of Android users have installed Android Lollipop on their devices. This is a big flaw in the way users approach security updates and patches nowadays. Users don’t realize the risk they are opening their device to by running older software. Moreover, Google relies on phone manufacturers and service providers to roll out updates on their devices, which accounts for further delay in the update reaching the end users.
Although the company has invested a lot of resources in battling Stagefright, it results to naught if the updates do not reach end users. The updates either don’t reach the devices or worse, the users delay installing them on their device, which is why around 850 million Android devices are still vulnerable to Stagefright.