AndroidTutor2018- The Android security problem known as Stagefright is back, in a new and just-as-worrying form. The original Stagefright issue, which has has been causing concern for months, exploited a weakness in the Android media handler, allowing hackers to execute code through videos embedded in MMS messages. Now, a similar vulnerability has been discovered for audio files. Find out everything you need to know about Stagefright below.
Why monthly security updates won't make your phone any safer
Best antivirus and security apps for Android
Highlight recent changesYesNo
How secure is Android, really? / © ANDROIDPIT
A new Stagefright threat that targets Android phones through MP3 and MP4 files has been discovered. The code hides within the audio file and activates once users preview it or visit a page where the file is embedded. This audio preview function exists within most versions of Android, so nearly every Android device is susceptible to this exploit. The malicious code can also be sent to a user's phone via public Wi-Fi.
So far no infected devices have been reported. Google is currently working on a fix and says it will issue a security update in October. A rollout from individual carriers will begin soon after.
To learn more about the original Stagefright vulnerability and how to guard your phone against it, see our previous coverage below.
What is Stagefright?
Stagefright has been called the biggest Android security concern ever. It occurs when malicious code is unknowingly triggered by media in multi-media messages (MMS). Stagefright could affect a billion devices, most particularly those running Android Jelly Bean or earlier. This number, if you've taken a recent look at the percentages of different Android versions currently in use, is staggering.
This is how the Stagefright exploit works. / © Zimperium
Only 18 percent of Android devices are running a version of Android Lollipop and less than three percent are using Android 5.1. More than 40 percent are running Jelly Bean or earlier. (KitKat also accounts for around 40 percent of users.)
The good news is that Google has clarified that, ever since Android 4.0 Ice Cream Sandwich, a technology known as Address Space Layout Randomizing (ASLR) has been a part of Android. ASLR supposedly protects users from the Stagefright attack method because the RAM an app uses is never the same.
But the process is not perfect and nefarious attempts to circumvent ASLR are apparently already underway. Researchers have already demonstrated how Stagefright can be triggered via apps or even URLs. Fortunately those avenues require the user to manually retrieve the video, unlike MMS, which is retrieved automatically.
Some apps, such as Hangouts, automatically process MMS video, so watch out. / © ANDROIDPIT
How do I know if I am affected by Stagefright?
How do you know if your phone is affected? You have a couple of options. Both of the following apps will tell you if you are vulnerable to the Stagefright.
Download Stagefright Detector app from Zimperium Inc.
Download Stagefright Detector of Lockout Mobile Security
Both apps will let you know if your device is vulnerable to Stagefright. / © ANDROIDPIT
How do I stop Stagefright?
The bad news is there's not much you can do as an end-user. The current band-aid solution is to go into your messaging app's settings and turn off auto-retrieve for MMS (this goes for the default Messaging app as well as Hangouts).
You may also want to disable auto-downloads in WhatsApp. Go to Settings > Chat Settings > Media Auto-Download and make sure video auto-downloads are disabled under 'When using mobile data', 'When connected on Wi-Fi' and 'When roaming'.
Generally speaking though, steer clear of any suspicious MMS messages with videos in them, especially from people you don't know, and just hope your manufacturer and carrier get the patch out to you as quickly as possible.
Disable auto-retrieval of MMS and don't open MMS from people you don't know. / © ANDROIDPIT
As soon as you see a pending update on your device, install it immediately, and use one of the apps above to ensure you are no longer vulnerable. Of course, the apps will offer to provide you with protection if your device is vulnerable, but we have no way of telling how effective that protection is.
Which phones will get the Stagefright patch?
Several manufacturers have already announced they will issue a Stagefright patch (and several will now start monthly security updates). We've listed the manufacturers that have made an announcement below, along with any devices that have been confirmed for the update.
Google Stagefright update
Naturally, Google was the first to announce a Stagefright fix for the Nexus line of devices (along with monthly security updates). Android One devices have reportedly been patched already.
Nexus 6 Android update
Nexus 5 Android update
Nexus 4 Android update
Nexus 9 Android update
Nexus 7 (2013) Android update
Nexus 7 (2012)
Nexus Player
Samsung Stagefright update
Samsung was also quick to issue a statement about the Stagefright patch and monthly updates for its most popular devices. Various carriers, including Sprint and AT&T, were quick to issue statements and push the patch out for the devices listed below.
Several other popular devices, including the Galaxy S4 and Galaxy S3, are apparently on the 'to-do' list for a patch, but we don't know exactly when that will come.
Galaxy S6 Android update
Galaxy S6 Edge Android update
Galaxy S6 Active
Galaxy S5 Android update
Galaxy S5 Active
Galaxy Note 4 Android update
Galaxy Note Edge Android update
Motorola Stagefright update
Motorola has now joined the Stagefright chorus, announcing a huge list of devices to be patched.
Moto X Style (patched from launch)
Moto X Play (patched from launch)
Moto X (2014) Android update
Moto X (2013) Android update
Moto X Pro
Moto Maxx/Turbo Android update
Moto G (2015)
Moto G (2014) Android update
Moto G (2013) Android update
Moto G 4G LTE (2015)
Moto G 4G LTE (2014)
Moto E (2014)
Moto E (2013) Android update
Moto E 4G LTE (2015)
DROID Turbo
DROID Ultra/Mini/Maxx
LG Stagefright update
LG confirmed to Wired that it would be updating several devices and launching monthly security updates, although no official statement has yet been issued. The devices that have apparently got the fix in the pipelines include:
LG G4 Android update
LG G3 Android update
LG G2 Android update
HTC Stagefright update
HTC has also pushed the Stagefright patch to several devices, but no official statement has been made on monthly security updates.
HTC One M9 Android update
HTC One M8 Android update
HTC One Android update
Sony Stagefright update
Like HTC and LG, no official statement has been issued from Sony, but the following devices have reportedly been patched for the Stagefright bug:
Xperia Z4
Xperia Z3 Android update
Xperia Z3 Compact Android update
Xperia Z2 Android update
Are you affected by Stagefright? What are your thoughts on Android security issues?
282 Shares
Share on Facebook Tweet on Twitter Share on Google+ 282 Shares
More from the web
Hungry Now? Why You Should Give Food Delivery A Try TodayThe Crave by Grubhub
These 8 Supplements Will Strengthen And Grow Your PhysiqueBodybuilding.com
Monterey Park, California: This Brilliant Company Is Disrupting a $200 Billion IndustryEverQuote Insurance Quotes
California Residents Rush to Qualify for Online Conceal Carry After Potential Full Ban on Bump Stocks!National Concealed
by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links
Readers' favorite comments
23 Mark G. Aug 10, 2015
Hackers will always try to find exploits, the main thing is how Android responds.
Unfortunately Android needs to change how it delivers updates. All OS updates including security should be handled by Google play store eliminating the need to wait for carriers to deliver or not.
Carriers should only need to update their own part of the OS.
That's the main problem with Android. There's to much fragmentation.
5 Go to comment >
24 comments
Write a comment!
Write new comment:
SubmitCancel
1 Kevin O'Keeffe Oct 4, 2015 Link to comment
I was able to screen mirror when I bought my galaxy s6 onto my TV
Screen mirroring won't work at the moment
Any ideas as why I can't access screen mirroring
0
Reply
1 piyayojep Oct 3, 2015 Link to comment
my friend's step-aunt makes $70 an hour on the computer . She has been without a job for 5 months but last month her pay was $18819 just working on the computer for a few hours. look at here
.......>>>>>>............... www.buzznews99.com
0
Reply
7 Suo Eno Oct 2, 2015 Link to comment
1. It's high time that Google put OHA to good use. I mean for rough example has anyone checked out OHA's last news update on their website? That's right....2011.... An alliance that's about as functional as any economic blocs = not
2. And if that can't work then the Android user base from now on should vote with their dollars very very carefully and decisively. Buy only when you really need to upgrade and only from OEMs with a steady fw/sw rollout record. You know what I mean. Just pick one lesser evil (let's face it; every Android partner OEM on Earth Samsung included prays to the planned obsolescence deity = buy a new phone, get updated faster) over the other and IGNORE the gimmicks. No use for 4K screens, dual rear cams or hell some kind of a full body scanner later on if our bread and butter data on our device are about as safe as Kim K's well lubed ass prancing around in some back alley.
Hate to say it as far as options go but it remains clear that only a Nexus is the de facto bang for buck hands down in this regard.
0
Reply
17 BruinGuy Oct 2, 2015 Link to comment
Of course address space layout randomization makes it almost impossible to use this exploit.
0
Reply
23 CJ Brown Oct 2, 2015 Link to comment
The new Asus ZenFone 2 is secure and comes with Trend Micro pre-installed (I use Trend Micro on my Toshiba Laptop as its the best Security, along with not being an ignorant Smartphone / Computer user).
I agree with EVERYONE who suggests that Google needs to work with all Manufacturera & Carriers with continued Updates offering protection from Hackers (yes Google recently sent an email to encourage Encryption , but having attended Def-Con Hacker Convention? I'm reminded that it's easy to exploit any device - even when Encryption is in use).
Finally - I don't use WhatsApp (never have, never will) as its the Microsof Outlook Express of the Smartphone (lol)!
0
Reply
10 Mehul Pandita Oct 2, 2015 Link to comment
My Moto G 2nd Gen got an update for its fix 2-3 days ago.
0
Reply
2 Saif Ghole Sep 17, 2015 Link to comment
Protect you device from stagefright vulnarebility will you receive security update from the manufacturer.
Check it here- www.mytechalbum.com/how-toprotect-your-android-from-stagefright/
0
Reply
3 Lin Sep 15, 2015 Link to comment
If this is so bad and hits so many android users why is this not being pushed through a bit faster?
1 CJ Brown
Reply
1 Darryl Holmes Sep 10, 2015 Link to comment
My phone has stage fright, and its breaking my will to live :/
0
Reply
1 Clayton Aug 12, 2015 Link to comment
I have the lollipop 5.1.1 but the apps tell me I'm vulnerable. Why?
0
Reply
23 Mark G. Aug 12, 2015 Link to comment
You presumably received the 5.1 update before the patch for stagefright was issued.
0
Reply
1 Clayton Aug 12, 2015 Link to comment
Can I redownload the version update? Seems silly to have to get the same versipn that I already have. 5.1.1 is suppose to be the fix.
0
Reply
3 Gabor Ravasz Aug 18, 2015 Link to comment
Flash the 5.1.1 if you had it before the update and do all wipes like cache data/factory reset 3 times and don't get the updated Android version. My Note 4 Sprint already made strange things but I fixed it and I'm on 5.1.1
0
Reply
2 Gina N Aug 11, 2015 Link to comment
The Lookout app said my device is fine and the other one said it was vulnerable
2 GT OhhCecilia Sonnier
Reply
3 Gabor Ravasz Aug 18, 2015 Link to comment
Lookout contains malware itself like McAfee too.
0
Reply
16 Frank Neulichedl Aug 11, 2015 Link to comment
My Nexus Devices got an OTA update last night and now all my Nexus 4/7/5 are safe.
0
Reply
2 Cecilia Sonnier Aug 11, 2015 Link to comment
I downloaded the Lookout application referenced in this article. When I did a restart of my phone, I goy a warning about the app and chose to uninstall.
0
Reply
16 Frank Neulichedl Aug 11, 2015 Link to comment
The Lookout App is safe - how did you get a warning for this app? Do have another antivirus app installed?
1 Cecilia Sonnier
Reply
2 Cecilia Sonnier Aug 11, 2015 Link to comment
Yes, I am with Verizon and they have a security app that comes with it. I also have Macafee and I have the Lookout security app installed.
0
Reply
3 Gabor Ravasz Aug 18, 2015 Link to comment
My tech friends told me it's very bad that on the LG G4 devices Macafee it's pre-installed coz that security app itself it's a malware. Even the owner of that company made a video and left the company too.
0
Reply
Show all comments
Write a comment!
Why monthly security updates won't make your phone any safer
Best antivirus and security apps for Android
Highlight recent changesYesNo
How secure is Android, really? / © ANDROIDPIT
A new Stagefright threat that targets Android phones through MP3 and MP4 files has been discovered. The code hides within the audio file and activates once users preview it or visit a page where the file is embedded. This audio preview function exists within most versions of Android, so nearly every Android device is susceptible to this exploit. The malicious code can also be sent to a user's phone via public Wi-Fi.
So far no infected devices have been reported. Google is currently working on a fix and says it will issue a security update in October. A rollout from individual carriers will begin soon after.
To learn more about the original Stagefright vulnerability and how to guard your phone against it, see our previous coverage below.
What is Stagefright?
Stagefright has been called the biggest Android security concern ever. It occurs when malicious code is unknowingly triggered by media in multi-media messages (MMS). Stagefright could affect a billion devices, most particularly those running Android Jelly Bean or earlier. This number, if you've taken a recent look at the percentages of different Android versions currently in use, is staggering.
This is how the Stagefright exploit works. / © Zimperium
Only 18 percent of Android devices are running a version of Android Lollipop and less than three percent are using Android 5.1. More than 40 percent are running Jelly Bean or earlier. (KitKat also accounts for around 40 percent of users.)
The good news is that Google has clarified that, ever since Android 4.0 Ice Cream Sandwich, a technology known as Address Space Layout Randomizing (ASLR) has been a part of Android. ASLR supposedly protects users from the Stagefright attack method because the RAM an app uses is never the same.
But the process is not perfect and nefarious attempts to circumvent ASLR are apparently already underway. Researchers have already demonstrated how Stagefright can be triggered via apps or even URLs. Fortunately those avenues require the user to manually retrieve the video, unlike MMS, which is retrieved automatically.
Some apps, such as Hangouts, automatically process MMS video, so watch out. / © ANDROIDPIT
How do I know if I am affected by Stagefright?
How do you know if your phone is affected? You have a couple of options. Both of the following apps will tell you if you are vulnerable to the Stagefright.
Download Stagefright Detector app from Zimperium Inc.
Download Stagefright Detector of Lockout Mobile Security
Both apps will let you know if your device is vulnerable to Stagefright. / © ANDROIDPIT
How do I stop Stagefright?
The bad news is there's not much you can do as an end-user. The current band-aid solution is to go into your messaging app's settings and turn off auto-retrieve for MMS (this goes for the default Messaging app as well as Hangouts).
You may also want to disable auto-downloads in WhatsApp. Go to Settings > Chat Settings > Media Auto-Download and make sure video auto-downloads are disabled under 'When using mobile data', 'When connected on Wi-Fi' and 'When roaming'.
Generally speaking though, steer clear of any suspicious MMS messages with videos in them, especially from people you don't know, and just hope your manufacturer and carrier get the patch out to you as quickly as possible.
Disable auto-retrieval of MMS and don't open MMS from people you don't know. / © ANDROIDPIT
As soon as you see a pending update on your device, install it immediately, and use one of the apps above to ensure you are no longer vulnerable. Of course, the apps will offer to provide you with protection if your device is vulnerable, but we have no way of telling how effective that protection is.
Which phones will get the Stagefright patch?
Several manufacturers have already announced they will issue a Stagefright patch (and several will now start monthly security updates). We've listed the manufacturers that have made an announcement below, along with any devices that have been confirmed for the update.
Google Stagefright update
Naturally, Google was the first to announce a Stagefright fix for the Nexus line of devices (along with monthly security updates). Android One devices have reportedly been patched already.
Nexus 6 Android update
Nexus 5 Android update
Nexus 4 Android update
Nexus 9 Android update
Nexus 7 (2013) Android update
Nexus 7 (2012)
Nexus Player
Samsung Stagefright update
Samsung was also quick to issue a statement about the Stagefright patch and monthly updates for its most popular devices. Various carriers, including Sprint and AT&T, were quick to issue statements and push the patch out for the devices listed below.
Several other popular devices, including the Galaxy S4 and Galaxy S3, are apparently on the 'to-do' list for a patch, but we don't know exactly when that will come.
Galaxy S6 Android update
Galaxy S6 Edge Android update
Galaxy S6 Active
Galaxy S5 Android update
Galaxy S5 Active
Galaxy Note 4 Android update
Galaxy Note Edge Android update
Motorola Stagefright update
Motorola has now joined the Stagefright chorus, announcing a huge list of devices to be patched.
Moto X Style (patched from launch)
Moto X Play (patched from launch)
Moto X (2014) Android update
Moto X (2013) Android update
Moto X Pro
Moto Maxx/Turbo Android update
Moto G (2015)
Moto G (2014) Android update
Moto G (2013) Android update
Moto G 4G LTE (2015)
Moto G 4G LTE (2014)
Moto E (2014)
Moto E (2013) Android update
Moto E 4G LTE (2015)
DROID Turbo
DROID Ultra/Mini/Maxx
LG Stagefright update
LG confirmed to Wired that it would be updating several devices and launching monthly security updates, although no official statement has yet been issued. The devices that have apparently got the fix in the pipelines include:
LG G4 Android update
LG G3 Android update
LG G2 Android update
HTC Stagefright update
HTC has also pushed the Stagefright patch to several devices, but no official statement has been made on monthly security updates.
HTC One M9 Android update
HTC One M8 Android update
HTC One Android update
Sony Stagefright update
Like HTC and LG, no official statement has been issued from Sony, but the following devices have reportedly been patched for the Stagefright bug:
Xperia Z4
Xperia Z3 Android update
Xperia Z3 Compact Android update
Xperia Z2 Android update
Are you affected by Stagefright? What are your thoughts on Android security issues?
282 Shares
Share on Facebook Tweet on Twitter Share on Google+ 282 Shares
More from the web
Hungry Now? Why You Should Give Food Delivery A Try TodayThe Crave by Grubhub
These 8 Supplements Will Strengthen And Grow Your PhysiqueBodybuilding.com
Monterey Park, California: This Brilliant Company Is Disrupting a $200 Billion IndustryEverQuote Insurance Quotes
California Residents Rush to Qualify for Online Conceal Carry After Potential Full Ban on Bump Stocks!National Concealed
by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links
Readers' favorite comments
23 Mark G. Aug 10, 2015
Hackers will always try to find exploits, the main thing is how Android responds.
Unfortunately Android needs to change how it delivers updates. All OS updates including security should be handled by Google play store eliminating the need to wait for carriers to deliver or not.
Carriers should only need to update their own part of the OS.
That's the main problem with Android. There's to much fragmentation.
5 Go to comment >
24 comments
Write a comment!
Write new comment:
SubmitCancel
1 Kevin O'Keeffe Oct 4, 2015 Link to comment
I was able to screen mirror when I bought my galaxy s6 onto my TV
Screen mirroring won't work at the moment
Any ideas as why I can't access screen mirroring
0
Reply
1 piyayojep Oct 3, 2015 Link to comment
my friend's step-aunt makes $70 an hour on the computer . She has been without a job for 5 months but last month her pay was $18819 just working on the computer for a few hours. look at here
.......>>>>>>............... www.buzznews99.com
0
Reply
7 Suo Eno Oct 2, 2015 Link to comment
1. It's high time that Google put OHA to good use. I mean for rough example has anyone checked out OHA's last news update on their website? That's right....2011.... An alliance that's about as functional as any economic blocs = not
2. And if that can't work then the Android user base from now on should vote with their dollars very very carefully and decisively. Buy only when you really need to upgrade and only from OEMs with a steady fw/sw rollout record. You know what I mean. Just pick one lesser evil (let's face it; every Android partner OEM on Earth Samsung included prays to the planned obsolescence deity = buy a new phone, get updated faster) over the other and IGNORE the gimmicks. No use for 4K screens, dual rear cams or hell some kind of a full body scanner later on if our bread and butter data on our device are about as safe as Kim K's well lubed ass prancing around in some back alley.
Hate to say it as far as options go but it remains clear that only a Nexus is the de facto bang for buck hands down in this regard.
0
Reply
17 BruinGuy Oct 2, 2015 Link to comment
Of course address space layout randomization makes it almost impossible to use this exploit.
0
Reply
23 CJ Brown Oct 2, 2015 Link to comment
The new Asus ZenFone 2 is secure and comes with Trend Micro pre-installed (I use Trend Micro on my Toshiba Laptop as its the best Security, along with not being an ignorant Smartphone / Computer user).
I agree with EVERYONE who suggests that Google needs to work with all Manufacturera & Carriers with continued Updates offering protection from Hackers (yes Google recently sent an email to encourage Encryption , but having attended Def-Con Hacker Convention? I'm reminded that it's easy to exploit any device - even when Encryption is in use).
Finally - I don't use WhatsApp (never have, never will) as its the Microsof Outlook Express of the Smartphone (lol)!
0
Reply
10 Mehul Pandita Oct 2, 2015 Link to comment
My Moto G 2nd Gen got an update for its fix 2-3 days ago.
0
Reply
2 Saif Ghole Sep 17, 2015 Link to comment
Protect you device from stagefright vulnarebility will you receive security update from the manufacturer.
Check it here- www.mytechalbum.com/how-toprotect-your-android-from-stagefright/
0
Reply
3 Lin Sep 15, 2015 Link to comment
If this is so bad and hits so many android users why is this not being pushed through a bit faster?
1 CJ Brown
Reply
1 Darryl Holmes Sep 10, 2015 Link to comment
My phone has stage fright, and its breaking my will to live :/
0
Reply
1 Clayton Aug 12, 2015 Link to comment
I have the lollipop 5.1.1 but the apps tell me I'm vulnerable. Why?
0
Reply
23 Mark G. Aug 12, 2015 Link to comment
You presumably received the 5.1 update before the patch for stagefright was issued.
0
Reply
1 Clayton Aug 12, 2015 Link to comment
Can I redownload the version update? Seems silly to have to get the same versipn that I already have. 5.1.1 is suppose to be the fix.
0
Reply
3 Gabor Ravasz Aug 18, 2015 Link to comment
Flash the 5.1.1 if you had it before the update and do all wipes like cache data/factory reset 3 times and don't get the updated Android version. My Note 4 Sprint already made strange things but I fixed it and I'm on 5.1.1
0
Reply
2 Gina N Aug 11, 2015 Link to comment
The Lookout app said my device is fine and the other one said it was vulnerable
2 GT OhhCecilia Sonnier
Reply
3 Gabor Ravasz Aug 18, 2015 Link to comment
Lookout contains malware itself like McAfee too.
0
Reply
16 Frank Neulichedl Aug 11, 2015 Link to comment
My Nexus Devices got an OTA update last night and now all my Nexus 4/7/5 are safe.
0
Reply
2 Cecilia Sonnier Aug 11, 2015 Link to comment
I downloaded the Lookout application referenced in this article. When I did a restart of my phone, I goy a warning about the app and chose to uninstall.
0
Reply
16 Frank Neulichedl Aug 11, 2015 Link to comment
The Lookout App is safe - how did you get a warning for this app? Do have another antivirus app installed?
1 Cecilia Sonnier
Reply
2 Cecilia Sonnier Aug 11, 2015 Link to comment
Yes, I am with Verizon and they have a security app that comes with it. I also have Macafee and I have the Lookout security app installed.
0
Reply
3 Gabor Ravasz Aug 18, 2015 Link to comment
My tech friends told me it's very bad that on the LG G4 devices Macafee it's pre-installed coz that security app itself it's a malware. Even the owner of that company made a video and left the company too.
0
Reply
Show all comments
Write a comment!
0 Response to "New Stagefright security exploit puts a billion Android devices at risk -[AndroidTutor2018]"
Post a Comment