You probably are well aware, at least if you are tuned in to the Android world, of the family of bugs called Stagefright. Well now there is Stagefright 2.0 and this will be an opportunity for Google and the carriers to prove to us whether they can deal with ongoing security patches or not – something Apple’s iPhone has well in hand, giving Apple the competitive advantage.
As a reminder, Stagefright 1.0 dealt with a series of 6 or 7 bugs related to how Android preprocessed video – in that case, with video text messages called multimedia messages or MMS.
The scary part is that Stagefright, the name of the video subsystem in Android that does this video processing, by default runs in the background so that you can be infected without actually doing anything – no clicks, no downloads, no interaction at all. You can turn that background preprocessing off but I doubt very many people actually did that.
All a hacker needs to infect you is your phone number.
The patch process was slightly ugly from Google, but mostly ugly from the carriers. The challenge for the carriers is (a) they don’t get revenue from patches, (b) they still are fooling themselves that they are NOT in the software business and (c) they really are not set up to deal with this. The consequences are that some people will ditch their Android phone and rent a phone, absent a 2 year contract, from Apple. That has to keep the carriers’ executives up at night.
So now we move on to Stagefright 2.0. Zimperium, the firm that discovered the original bugs, has found more Stagefright bugs. This time it affects MP3 and MP4 files. Google JUST released patches for these bugs to Nexus phone users. It is now up to the carriers to release these patches to you and me.
In addition, Zimperium has said they are working with Google on another handful of bugs, so this is certainly not the last patch to expect in the near future.
There is a Stagefright Detector app in the Google Play store. There actually two; I would recommend the one from Zimperium. It is free and does not require any special privileges. They don’t want to steal your address book or copy your email or anything like that! What is a bit unnerving is that you don’t have to interact with the app for it to play the hack scenario and see if you are vulnerable. The Zimperium app tests for each bug individually, so you might see 6 green and 2 red or 7 red and 1 green or whatever the situation is.
If you begin to see red (pun intented), then you need to beat up your carrier – they control the patches. This is an opportunity for the carriers to get the patch act together. We will see if they do.
Will the fun never end?