Stagefright – The Heartbleed For Android


Stagefright is an Android subsystem that processes video in your phone.  Stagefright has been around since Android 2.2.  That means that the potential to affect around 950 million Android phones exist.

The bugs (there are several of them) that researchers have discovered are really nasty because at least one of them does not even require a user to do anything to infect a phone and all the attacker needs to know is your phone number.  An attack could be constructed where the attacker sends you a multi-media message, which infects the phone and then deletes the message before you even see it.

The researcher will be presenting his findings next week at Blackhat.  Even if he does not lay out a set of “connect the dots” level of instructions, it won’t take but a few days for the hackers to figure things out.  Remember, the code is open source.  That is good news/bad news.  Other hackers can look at the code too and try to figure out the same thing that this researcher did.  Someone will be successful and publish it underground.

Before everyone gasps, newer phones (jellybean 4.1 and later) are LESS susceptible to Stagefright due to other compensating controls that Google as added in newer versions of the Android OS, but that still leaves several hundred million phones that are completely vulnerable and many will never be patched.  And that does not mean that newer phones are completely off the hook – it is just harder.

And, it depends on the particular apps on the phone.  On one version of Messenger, on a Galaxy Nexus, you had to open the message for the exploit to trigger.

So far, Google has released patches to SEVEN vulnerabilities reported to them and they did that in a couple of days.

For all phones, if the exploit is triggered, the hackers will have access to your pictures and videos as well as the phone’s microphone and camera.

Worse yet, some phones such as the Samsung S4 and LG Optimus Elite, run the exploitable process with system level privileges, meaning that if one of those phones is attacked, the hacker has full run of the phone.  You don’t want to hear my thoughts on that decision.

Now on to an old rant.  Even though Google has released the patch, they release it to the phone manufacturers.  The phone manufacturers need to test it to make sure that the patches don’t break any of their valuable bloatware (as one article put it somewhat inelegantly).  Depending on the manufacturer, that could take days or weeks.

Next the phone manufacturer needs to release it to the carrier.  The carrier needs to test it with their bloatware. That usually takes months.

Assuming the phone is still supported at all.


Google really needs to put it’s foot down here and force everyone to deal with this reality going forward.  I am not counting on that, however.

Hopefully, with all of the press this is receiving, the carriers will be worried about getting sued for not timely closing vulnerabilities that were well known and for which there were patches readily available.  We will see.


Information for this post came from Dark Reading and Forbes.

Leave a Reply

Your email address will not be published. Required fields are marked *