You may have heard recently about an Android security threat called “Stagefright.” It works by using the Android OS’s current method of taking action on text attachments even before they are opened, deploying malware to the device long before it can even be discovered. After taking a closer look, we at TechOrchard agree that this is a serious issue. The problem is summed up nicely in an excerpt from a CNN article below:
“… Even before you open a message, the phone automatically processes incoming media files — including pictures, audio or video. That means a malware-laden file can start infecting the phone as soon as it’s received, according Zimperium, a cybersecurity company that specializes in mobile devices.”
Stagefright impacts virtually all modern Android OSes and is probably the worst security flaw on a mobile device to date. Security bugs like these are more dangerous for Android than iOS due to the fractured nature of the OS. Unlike Apple and iOS security patches which can be made available over the air in a matter of hours from the patch being created, Android security patches are only applied quickly on Google Nexus devices. That’s because, as in this case, Google can create a patch immediately and distribute it to the Nexus devices it sells. Meanwhile, consumers are dependent upon other manufacturers like Samsung, LG, Huwei, et al., to pass along the Google security updates to their Android devices, which is often slow … if it happens at all.
When we first issued an update on this threat to our customers earlier in the week, Google had a patch ready almost immediately after the threat surfaced, but most other manufacturers had not approved or distributed the patch. However, because of the serious nature of the threat, Google, Samsung and LG have all announced that they will be moving into an environment of rolling out regular monthly over-the-air security updates to their devices. The first updates from all three companies will address the Stagefright vulnerability. HTC, Sony and Android One are also reportedly sending out the patch to customers, though they have not confirmed any sort of ongoing update schedule.
If you are a current customer, know that TechOrchard has made inquiries with each of our EMM solution vendors asking for any recommendations on how you might be able to correct this issue on device profiles and restrictions. As soon as we hear anything further, we will pass along that information. In the meantime, the researchers who uncovered Stagefright have developed an app that can tell you whether or not a particular device is vulnerable to the bug. The Stagefright Detector App is available free in the Google Play Store. Also, download our recommendations for Short-Term Mitigation Strategies for Android Stagefright to protect yourself in the interim.
