Stagefright
Pembroke
Enthusiast - Level 1

Two different Stagefright detector apps say the phone with the latest build (4GOG7) is vulnerable to this malware. Any idea when it might be patched?

Labels (2)
0 Likes
4 Replies
SuzyQ
Community Leader
Community Leader

Here's a few facts (excerpts) about the Stagefright exploit - my source is Android 'Stagefright' exploit: What you need to know | Android Central

Yes, there are flaws in libStageFight, but there are other layers of security that should mitigate the possibility of devices actually being exploited.

Google addressed the situation specifically, with lead engineer for Android security Adrian Ludwig telling that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."  What Ludwig was saying is that devices running Android 4.0 or higher &mdash that's about 95 percent of all active devices with Google services — have protection against a buffer overflow attack built in.

The good news is that the researcher who discovered this flaw in Stagefright "does not believe that hackers out in the wild are exploiting it." So it's a very bad thing that apparently nobody's actually using against anyone, at least according to this one person. And, again, Google says if you're using Android 4.0 or above, you're probably going to be OK.

The bad news is that most folks are doing to have to wait on the manufacturers and carriers to push out system updates. But, again — while we're talking something like 900 million vulnerable phones out there, we're also talking zero known cases of exploitation. Those are pretty good odds.

So, much ado about nothing?  Or a potential exploit blown out of proportion?  Take reasonable precautions, don't download video from unknown sources on your phone, and wait for a possible patch.  Just my thoughts.

0 Likes
Pembroke
Enthusiast - Level 1

Among other things, I work in the IT security field. I posted the message because the exploited existed, had for a while, and wasn't patched (most recent update, as other have noted did apply a fix).

There is no such thing as absolute protection.  Security is NOT a preventative, it's merely a tactic to delay, to keep "them" out long enough so that WHEN (not IF) they get in, whatever you're trying to protect is no longer sensitive.

Researchers found the flaw and published. That makes it something, particularly as long as vulnerability testing reveals the possibility for exploit. While I understand the need to take reasonable precautions, this isn't and shouldn't be a "user" issue. As you correctly noted, Google and the OEMs have to generate a fix.

0 Likes
radar320
Contributor - Level 2

I downloaded and installed the latest update, ending in bog9, last night.  I ran the test this morning using the stagefright detector app I have, and it showed no vulnerability.

TheS1R
Contributor - Level 2

Yes, they FINALLY addressed the vulnerability. It took the third update since Stagefright was publicized. LMY47X.G925VVRU4BOG9 fixes it! This same update supposedly provisions the device for SAMSUNG Pay once it becomes available from the Play Store.