PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Android Stagefright Exploit Released to the Public

Stephanie Mlot
 & Stephanie Mlot Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

More than a month after revealing the Stagefright Android vulnerability, mobile security firm Zimperium has published details about its exploit.

The bug, discovered earlier this year by researcher Joshua Drake, was marked extremely dangerous—an attacker need only have your phone number to carry out a hack via text. No need to open a file or click a link; the attack could happen while you were sleeping, blissfully unaware that private photos, contact details, bank information, and websites were being accessed.

About 95 percent of Android devices, or 950 million smartphones, were vulnerable, the firm said.

Why reveal details, then? Patches have since been released, but concerns remain. Making the code available to the general public lets "security teams, administrators, and penetration testers alike...test whether or not systems remain vulnerable," Zimperium said.

"We're working closely with partners on the Stagefright fix," a Google spokeswoman told PCMag in an email. "Nexus 4/5/6/7/9/10 and Nexus Player are already fixed and will continue to receive monthly security updates that protect users further."

The tech giant released a huge update for Android phones to fight Stagefright, but the issue is widespread.

Google "released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS," for example, but "this attack vector constituted only the worst of more than 10 different ways (browsers, instant messengers, etc.) potentially malicious media is processed by the Stagefright library," Zimperium said.

Meanwhile, "myriad researchers [have] flocked to audit the Android code base and collectively discovered and reported numerous additional issues," the firm added.

According to Zimperium, most smartphones running Android 2.2 and later are vulnerable, though those operating versions prior to Jelly Bean are at the highest risk. Owners of SilentCircle's BlackPhone as well as users of Mozilla's Firefox are not affected.

Nvidia said yesterday that its latest update for the Shield tablet includes a security patch for Stagefright.

Drake, meanwhile, presented his research at last month's Black Hat; check out his presentation below.

Editor's Note: This story was updated at 1:10 p.m. Eastern with comment from Google.

About Our Expert

Stephanie Mlot

Stephanie Mlot

Contributor

My Experience

  • B.A. in Journalism & Public Relations with minor in Communications Media from Indiana University of Pennsylvania (IUP)
  • Reporter at The Frederick News-Post (2008-2012)
  • Reporter for PCMag and Geek.com (RIP) (2012-present)

My Areas of Expertise

  • Science & Space
  • Video Streaming Services
  • Social Media
  • Cars & Auto
  • Education

The Tech I Use

  • iPhone 12 Pro
  • MacBook Air (hooked up to a 23-inch Dell monitor)
  • Google Chrome
  • Google Drive
  • Soundcore Life P3 earbuds
  • Various Amazon Echo devices

Read the latest from Stephanie Mlot

Read full bio