AH Security-2

Stagefright Is Bad For Android

August 6, 2015 - Written By Mike Carey

Stagefright is a scary scenario which Google never wanted to happen and is an eye opener to everyone in the Android world.  From users, to carriers, to manufacturer’s everyone is reacting to the development of a major security flaw in every Android device since 2.2.

We live in a day in age where hacks happen all the time, it is almost a daily news report about a government hacking each other or a celebrity’s phone being hacked.  It has almost become the norm for us to hear stories like this and most of us don’t even bother to read about it because we all think this could never happen to us.  Well now it has happened to the Android world and it doesn’t just open our eyes to the hack but it’s how the fix won’t happen for most, that is the scary part.  This same thing happened to iOS earlier this year and everyone on Android laughed at their Apple loving friends and bragged how safe our phones were.  Now it is the Apple community laughing at us.  See the biggest difference is the fix.  Technology is not perfect and we accept that someone will always find a way to exploit it for their benefit and we expect manufacturers to fix the problem until the next is discovered.  The problem with Android is what attracts so many people to it, it’s open source.  Google has no control over Android and anyone who wants to use it can.  Google can fix Android to eliminate this exposure but it has no control over pushing that fix out to the users.  Every manufacturer and carrier customizes Android and that requires a lot of people to work together to develop a fix and send it out to the users.  This is the biggest difference between Apple and Google.  When Apple’s text message hack was announced Apple pushed out a fix shortly after.  All users were protected with that release.  Google cannot do that, Android isn’t set up that way.

Stagefright itself is a scary attack because you won’t know you are affected.  It is essentially a code that comes in via MMS and gives the sender complete control over your phone.  The worst part, you don’t have to click on the message or acknowledge the text message, so really the sender just needs your phone number and bam, they have everything on your phone.

Now Google stepped up and said they will issue frequent security updates but they can only be pushed to their Nexus line directly.  The other major manufacturers said they will follow suit but now it is up to the carriers to push those updates out.  AT&T and Sprint have said they will push those updates out to users with select devices but no other carrier has backed this plan as of yet.  And this also leaves millions of older devices still vulnerable to this attack and possible others.

Google is trying to take steps to combat this but it is a bigger task than we would like when our privacy is at stake.