Or rather, it was. Security researchers at NorthBit have developed a proof-of-concept Stagefright exploit, Metaphor, that reliably compromises Android phones. The key is a back-and-forth procedure that gauges a device's defenses before diving in. Visit a website with a maliciously-designed MPEG-4 video and the attack will crash Android's media server, send hardware data back to the attacker, send another video file, collect additional security data and deliver one last video file that actually infects the device.
It sounds laborious, but it works quickly: a typical attack breaks into a phone within 20 seconds. And while it's most effective on a Nexus 5 with stock firmware, it's known to work on the customized Android variants found on phones like the HTC One, LG G3 and Samsung Galaxy S5.
This doesn't amount to an in-the-wild attack, and you'll be fine if you're running Android 6.0 Marshmallow or any other OS version patched against Stagefright. The catch is that relatively few people are in that boat -- most Android users are running Lollipop or earlier, and only some of those devices have Stagefright patches. You're probably fine if you own a relatively recent device, but your friend with a years-old Android phone is at risk.
Google has provided a response that elaborates on what we knew: you're protected against this if your phone has least the October 1st, 2015 security update installed. Read the full statement below.
"Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community's research efforts as they help further secure the Android ecosystem for everyone."
Google officially just took the wraps off of Android Oreo, but there are still some questions left to be answered — most notably, precisely when each device will be getting the latest version of the mobile operating system. Due to Android’s openness and a variety of different factors on the manufacturing side, it’s not an easy question to answer, but we’ll break it down best we can.
5 years, 7 months ago
Google has thrown more than 40 apps out of its Play store after it emerged they were quietly forcing Android users to click on ads. As the apps been downloaded as many as 36 million times, security researchers said it appeared to be the biggest ever case of ad fraud perpetrated via Google Play and probably the most successful malware in terms of installs from the official store.
5 years, 9 months ago
Following the widespread phishing scam that affected Google Docs and Gmail users this week, Google says it’s now rolling out a new security feature in its Gmail application on Android that will help warn users about suspicious links.
5 years, 10 months ago
Want to run Android, but don't want to buy a smartphone, tablet or Android TV device? Then this may be the answer to your prayers: Google has teamed up with Huawei to deliver the HiKey 960, a Raspberry Pi style computer board that runs Android.
5 years, 10 months ago