How Frightened Should Android Developers Be Of Stagefright

Stagefright is a new Android vulnerability which was found and announced by Joshua J. Drake, Zimperium zLabs Vice President of Platform Research and Exploitation. Specifically the company says Stagefright is: “…what we believe to be the worst Android vulnerabilities discovered to date.”

Here is a rundown according to Zimperium, “These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7, found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction.”

The company advises Android users that: “Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a Trojaned phone.”

As an Android developer, there is not much that can be done as this is an OS issue. Google is issuing a patch for the vulnerability and like many similar situations, the public’s furor will die down and the situation will soon be a brief memory. 

One opportunity the news does present is for application security companies like Zimperium, who undoubtedly will see a rash of inquiries from companies looking for enhanced security options. Checkmarx jumped on the bandwagon issuing its advisory on the threat as has AdaptiveMobile. 

It’s certainly been an interesting past few days as the IoT has taken a major hit with the last week’s crazy Jeep hack report by Wired Magazine and now Android takes a hit with Stagefright. The public’s appetite for new technology and connectivity has so far been insatiable, however I wonder if we may soon reach a tipping point and see a consumer backlash – or it could be that the hits are coming so hot and heavy that people have just become desensitized.