Snippet: In April, Five years, two months, and nine days. That's how long it's been since the release of Android 2.2 (May 20, 2010). It's also how long a bug has existed on the Google Android mobile operating system that allows remote code execution.

In April, Five years, two months, and nine days. That's how long it's been since the release of Android 2.2 (May 20, 2010). It's also how long a bug has existed on the Google Android mobile operating system that allows remote code execution.

So what exactly is this exploit and should we care?

In April, a security researcher named Joshua J. Drake discovered a vulnerability in the media handler on Android devices. (Stagefright is the name of the handler rather than the vulnerability per se.) Drake found that an attacker can craft a special type of media file that, once accessed on a vulnerable Android device, can execute arbitrary code without the device owner being aware of it. Pretty much all Android devices are vulnerable.

MMS is the most likely means of getting this media file to a victim’s device, but simply accessing the file over email or through a mobile web browser would have exactly the same effect.

It’s not quite as bad as it looks though. Mobile operating systems, unlike legacy PC operating systems, have been built with the principle of “least privilege” in mind. All applications run in different “sandboxed” environments with just enough system rights to accomplish their respective tasks. Although the Stagefright process responsible for managing media on Android devices cannot by itself gain access to private data on your device, it does have access to your phone’s microphone and camera and would be able to turn that on at will.

It is theoretically possible to combine the Stagefright exploit with a root vulnerability to allow an attacker to break out of the process sandbox and access sensitive data from other applications on your device, but that’s pretty unlikely.

As far as sensitive applications on Android are concerned – your mobile banking app for instance – it’s best to offload your critical security processing to the Trusted Execution Environment (TEE) available on many popular Android-based handsets. This is exactly what the Transakt SDK does to ensure protection against vulnerabilities such as that affecting Stagefright.

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.