115 Stagefright-related Vulnerabilities Have Been Patched a Year after Its Discovery

Last year, a serious Stagefright vulnerability was discovered in Android that affected millions of Android devices out there. The exploit allowed hackers to gain system or media permissions on an Android device using a malicious MMS. 

The issue was so serious that Google and other OEMs finally started paying proper attention to security updates and patches for their devices. It even played a key role in the monthly security patches that Google and other OEMs have started rolling out on a monthly basis for their devices since then.

However, a year after it was first discovered and patched, Google has released 115 patches for media server-related vulnerabilities and flaws. Out of these, 49 were directly related to the ‘libStagefright’ process in Android, the same process which was used in the original hack.

As per Drake, the vice president of Platform Research and Exploitation at Zimperium and the founder of the original Stagefright vulnerability, Stagefright-type vulnerabilities have been used in targeted attacks, though their very nature makes them very difficult to detect. He also says that since Google has a habit of dumping older versions of Android once it releases a new version of the OS, millions of devices will continue to be at risk of any Stagefright related hack.

“Google sort of abandons older versions of Android, and only provides security fixes for them,” Drake said. “This fact, combined with the practice of shipping security improvements in new major releases only, underscores the need for faster adoption of new major versions of Android.”

With Android Nougat, Google is taking some major steps to make the OS more secure by including security checks that will prevent the OS from booting on devices whose software is corrupt or compromised. However, as Drake mentioned, it is unlikely that Google will be backporting this feature to older versions of Android, and the lack of support from OEMs mean that millions of Android devices out there will continue to remain vulnerable to some form of Stagefright-type flaws.

[Via eWeek]