New “Stagefright” Hack Exposes 275 Million Android Phones | Fortune

A Samsung Electronics Co. Galaxy Note Edge smartphone running the Android mobile operating system displays the Google Inc. Hangouts app in this arranged photograph in New York, U.S., on Wednesday, July 29, 2015. A researcher at a security firm revealed a hole in Android's source code that hackers can exploit, if they have a phone's number, with a text. Photographer: Chris Goodney/Bloomberg via Getty Images

An Israeli security firm identified a lingering vulnerability in older versions of the OS.

The Israeli security firm NorthBit has demonstrated an exploit that could allow hackers to access data and functions on a wide range of versions of Android, after users access malicious websites. The vulnerability that makes the hack possible exploits an Android code library called “Stagefright,” which processes several media formats. It was discovered last year, but apparently Google GOOG -0.02% didn’t fix the weakness in all versions of Android.

As reported by Ars Technica, NorthBit has named its exploit “Metaphor.” Vulnerable versions of Android include versions 2.2 through 4.0, as well as 5.0 and 5.1. Altogether, about 275 million phones run those versions.

The exploit does have two significant limiting factors. First, it has to execute different code to hijack each specific model of phone, making it more difficult for a hacker to deploy it at massive scale without building many different versions.

It is also effectively blocked in the latest version of Android, 6.0 Marshmallow, and Google has said a security patch released in October of 2015 protects some older installs.

As Ars points out, however, updating to the latest operating system is not easy or even possible on all Android phones, so the best security advice is still pretty much the oldest one in the book—don’t click on unknown web addresses from untrusted sources.

END

CLICK HERE TO SIGNUP FOR NEWS & ANALYSIS EMAIL NOTIFICATION

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.