August 10, 2015
The emergence of Stagefright, a malicious code that targets Android phones, has impacted all mobile companies using the Google operating system. Google has already fixed the problem in its own line of Nexus phones and tablets, and now plans to supply monthly security updates wirelessly. Both Samsung and LG have also announced they will be issuing a monthly security update; other impacted mobile phone manufacturers include Sony, HTC and Android One, all of which have provided or plan to provide Stagefright patches.
According to The Wall Street Journal, Zimperium Mobile Security researchers discovered Stagefright in late July. Delivered via MMS, the code can be remotely executed and the offending message can be deleted before the user sees it.
“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” explains Zimperium.
“What’s most alarming about it is that the victim doesn’t even have to open the message or watch the video in order to activate it,” reports Digital Trends. “The built-in Hangouts app automatically processes videos and pictures from MMS messages in order to have them ready in the phone’s Gallery app.”
The move to provide monthly security isn’t simply because of Stagefright, but is part of what WSJ calls “broader concerns about the security of mobile devices as the primacy of laptop and desktop computers erodes.”
Wired describes the reaction to Stagefright as “uncharacteristically swift.” “It’s been just over a week since researchers alerted the public to the serious flaw that has been called the worst Android bug ever discovered, and the major Android manufacturers have already taken concrete steps to fix it.”
Larson Security executive Greg Kesner, formerly with the FBI’s data intercept program, said to CIO Journal that, “mobile devices are a prime target from the hacker’s perspective.”
“It’s probably now more useful to get onto somebody’s mobile phone than their laptop,” added Kesner, noting that state-sponsored hackers also target mobile applications and operating systems, especially against corporate networks.