Back in May, security firm Trend Micro discovered a flaw in Google’s Android mobile operating system that was acknowledged by Google as being a “low priority vulnerability.” That exploit, which affected Android 4.3 Jelly Bean up to Android 5.1.1 Lollipop, has not been patched by Google and can leave a device unusable. The exploit can attack by being installed through a malicious app or by directing users to a website, and if it’s installed through an app, it can cause Android to crash every time the device is powered on.
That sounds pretty bad, right? Well, it’s nothing compared to the “Stagefright” Android security issue publicized this week. It’s a system service in Android that processes various media formats implemented in native C++ code, and it’s possible to exploit it through nothing more than an MMS message.
The Stagefright issue was patched by Google in the latest versions of Android. However, close to 95 percent of Android device owners are not running the latest version of the operating system, according to Zimperium, and the exploit affects everything from version 2.2 Froyo to 5.1.1 Lollipop.
Why aren’t users running the latest version of Android? After all, 85 percent of Apple mobile device users run iOS 8 or later, with another 13 percent on iOS 7. Most Android device owners can’t run the latest version of their OS because of restrictions put in by handset makers, who load the Android phones with their own “bloatware” apps. The result? Operating System fragmentation, with a vast majority of Android users running older versions of the operating system.
Stagefright could affect more than 950 million devices, and Trend Micro thinks that both it and the earlier security flaw are just the beginning of other Android security issues coming down the road. To quote Trend Micro, “Further research into Android — especially the mediaserver service — may find other vulnerabilities that could have more serious consequences to users, including remote code execution.”
For protection against the Stagefright exploit, disabling auto-retrieval of MMS messages is recommended.
While no operating system — including iOS — is immune from hacker attacks, at least the majority of iOS devices could be patched by Apple in a very short amount of time without the need for third-party malware protection.