Skip to main content

stagefright

See All Stories

Stagefright makes a comeback, and more than 1 billion phones are vulnerable

stagefright

The number of vulnerabilities found in Android’s Stagefright just grew, and this time devices from as far back as Android 1.0 are vulnerable to attack. This first vulnerability, affecting almost every Android device, is in “libutils” — and that’s just one of the vulnerabilities recently discovered by Zimperium. Another vulnerability was found in libstagefright that makes Android devices running software versions later than 5.0 vulnerable as well…
Expand
Expanding
Close

Sony Xperia Z1, Z Ultra, and Z1 Compact now getting Android 5.1.1 Lollipop

Xperia-Z1-Compact-Android-5.1_1-315x560.png 2015-09-14 13-39-31

If you’re still using one of Sony’s Xperia Z1 handsets from 2013, this little tidbit is for you. Apparently, Xperia Z1, Z Ultra, and Z1 Compact handset are getting updated to Android 5.1.1 in some countries (via XperiaBlog). Alongside some really neat updates like richer Xperia themes, several Camera improvements, and new SmartWatch 3 functionality, the update also fixes the vulnerabilities in Stagefright…

Along with the above changes, this update to Android 5.1.1 includes new settings menu icons, “additional options” for WiFi and Bluetooth in the notification pull-down menu, new icons in the Settings menu, LinkedIn integrations for Calendar and Contacts, enhanced enterprise features of some kind, and more. As mentioned, the Camera has also been updated including improvements for focus, speed, and accuracy in “Superior Auto” mode.

Here’s the full change log:

– Improvements to volume and silent mode control, more control of your alerts, simplified and enhanced design
– Integration of LinkedIn with your Calendar and Contacts
– Camera focus, speed and accuracy improvements in Superior Auto mode
– Many new features for Xperia in Business, enhancing enterprise support for Xperia
– Now take pictures from the camera using Sony SmartWatch 3; use the SW3 as a remote shutter button
– Instant calendar events – create & share smart events directly from any email
– Calendar agenda in Email – no need to switch apps to check upcoming events
– Richer Xperia themes
– New Settings menu icons
– Additional options for Wi-Fi and Bluetooth in notification menu

Stagefright vulnerability fixes for HTC One M9 and M8 on AT&T now rolling out

Google may have promised to keep its Nexus devices updated once a month, and was one of the first to push fixes for the vulnerability in Stagefright, but that doesn’t mean owners of other phones will see such prompt updates. Today, weeks since Nexus devices were patched, AT&T’s HTC One M9 and M8 are receiving over-the-air updates to keep you safe when sending MMS messages.

You can find information about both the HTC One M9 update and that for the HTC One M8 over at AT&T’s website. The OTA for the M9 comes in at just 55.53 MB, while the M8 update is 28 MB. These are pretty tiny numbers for OTA updates, so you shouldn’t expect much more from this update than the patch for Stagefright. It goes without saying that it’s still important to update though.

Head over to the Settings app and mash that refresh button, or just wait until your device tells you that you’re ready to go.

 

Verizon’s Samsung Galaxy S4 receives Stagefright patch, other fixes

Stagefright isn’t totally a solved issue just yet, but device manufacturers and carriers have continued work on rolling out a patch that mitigates the OS vulnerability until another one of Google’s monthly security updates. Today we get an update for Verizon’s version of the Samsung Galaxy S4 which includes that patch and then some.

The update, rolling out over-the-air (OTA) and first spotted by Android Police, includes nothing new at all but quite a few fixes for software bugs to go along with addressing the Stagefright vulnerability. Device carriers and manufacturers that make them have felt almost unanimously responsible for rolling out fixes for the issue due to its sheer potential for damage and ease of exploitation, to name just two reasons.

If you own a Samsung Galaxy S4 on Verizon, expect to receive a notification when the update hits your device, sometime within the next few days. You can also check for it manually by visiting Settings > About phone > System updates.

nexus2cee_2015-08-17-11_04_42-www.verizonwireless.com_dam_support_pdf_system_update_benefits-galaxy-s4-8-17-15-668x573
K1_banner

Even after security patch, Stagefright still likely poses a threat

android

Google and several of its manufacturer partners rushed to fix a vulnerability found within Android which could see malware installed through simply receiving an MMS message. Dubbed Stagefright, it was described as the worst vulnerability to be found since the dawn of the new Mobile OS era. According to one security firm, sadly, the patches being released by a number of Android OEMs aren’t enough to fully fix the vulnerability.


Expand
Expanding
Close

Sprint rolling out Stagefright vulnerability patch for HTC One M8

Like every other US carrier, Sprint has been working diligently to release a patch to the Stagefright vulnerability in Android to its lineup of phones, and today HTC One M8 owners get the fix.

The release notes for the update only list a “Patch for critical security vulnerability (‘Stagefright’)” as being included in this update, so don’t expect anything else.

Stagefright is a vulnerability spotted in Android’s default MMS behavior that makes delivering and executing code on an Android-powered smartphone as simple as delivering a rich text message. Android has the ability to fetch the contents of a message before the user even opens it (this functionality itself is called “Stagefright” in Android), and most messaging apps previously didn’t prevent this from happening because, why not? Pre-fetching contents would be ideal as it means the user doesn’t have to wait for something to download when they tap and open a message.

Unfortunately, however, it’s also an easy way for bad guys to gain control of your phone. Google’s default text messaging app on Android, Messages, as well as its Hangouts messaging app, have both received updates to solve this from happening. Other popular messaging apps have followed suite, but Google’s vulnerability patch means that more apps won’t need to do the same.

Since this is a carrier update it’s being rolled out in stages, so it could be a few days before you see it hit your device. You should receive a notification when it’s available, otherwise you can manually check by visiting Settings > About phone > System updates.

OxygenOS 1.0.2 update released with Stagefright patch for OnePlus One users

oxygenos

OnePlus One users running OxygenOS can now download the security patches to deal with the Stagefright vulnerability. OnePlus One announced in a blog post this morning that Oxygen OS 1.0.2 is now available to download, and fixes what some dubbed the worst Android vulnerability in the mobile device era. Customers are advised to ensure they back up all their data before flashing. Those using OxygenOS already won’t need to reset their devices.


Expand
Expanding
Close

Verizon Galaxy S6, S6 Edge, & Tab 4 10.1 now receiving Android 5.1.1 updates w/ Stagefright fixes, more

After starting to rollout updates to its Galaxy Note Edge and Note 4 variants earlier this week, Verizon today has begun pushing updates to its Galaxy S6, S6 Edge, and Tab 4 10.1 with a fix for the Stagefright exploit in tow. Verizon has shared official update changelogs on its website for all three updates, noting that it bumps the Android OS to version 5.1.1.


Expand
Expanding
Close

Google reveals details of first monthly Nexus security update in new Google Group

Site default logo image

google-security

Google’s Android security lead Adrian Ludwig has posted a detailed description of the security update recently issued by Google for Nexus devices. The update was designed to address the Stagefright vulnerability which has been described as the  “worst Android vulnerability in the mobile OS history.”

On August 5, 2015, we released an over-the-air (OTA) update for Nexus 4/5/6/7/9/10 and Nexus Player devices that includes several security fixes. The patches for these fixes have also been released to the Android Open Source Project (AOSP) source repository.  These issues are categorized and provided in decreasing order of severity.  We have also provided an assessment of each issue, given the information we have at the time of the publication of this bulletin … 


Expand
Expanding
Close

You can download Stagefright fix OTA updates for Nexus devices here

Google recently released a slew of factory images for Nexus devices, following the company’s new commitment to release a security update for its Nexus line each and every month. This one in particular fixes a vulnerability in Stagefright, and updates have been slowly rolling out over-the-air following the announcement. Below we have listed every device that actually received a new LMY48I factory image, alongside a direct link to their OTA .zip downloads…
Expand
Expanding
Close

Verizon Galaxy Note Edge, Galaxy Note 4 receive Stagefright patch

As countless manufacturers of Android devices line up to release patches for the “worst Android vulnerability in the mobile OS history,” as some researchers have described it, the Galaxy Note Edge and Note 4 on Verizon are next up.

The vulnerability patch for the Galaxy Note Edge was spotted on Verizon’s support site by Droid-Life, then owners of the Note 4 reached out to the site to share that their devices are receiving a security update as well.

Verizon’s support document for the Note Edge security update is comically short at only one page long — their software update PDFs are usually at least a couple of pages long. We haven’t seen a similar document for the Note 4 yet.

For those who don’t know, Stagefright is what researchers have named a vulnerability that can see malicious software delivered to a device through MMS text messaging and executed automatically, as most messaging apps on Android automatically download rich media sent via MMS, regardless of whether or not the receiver opens the message. Google’s Messages and Hangouts apps both include the ability to disable auto-fetching of MMS content, though, and it’s pretty easy to toggle off.

4.7-inch Alcatel OneTouch Idol 3 available in US and Canada from Friday

alcatel onetouch idol 3

Months after its initial announcement at MWC in Barcelona, Alcatel OneTouch is finally making the smaller, 4.7-inch Idol 3 available to buy in the US and Canada. You will be able to order the device for $179 from the company’s online store or  Alcatel’s official Amazon store from Friday, August 14. In terms of design, the 4.7-inch model looks virtually identical to its bigger brother. But it does come with different specifications.

Instead of housing a full HD display panel, the smaller phone comes with a 1280×720 resolution screen. Thanks to its size, that still pushes it over the 300ppi mark. It has a 13MP rear camera, 5MP front camera and has a 2,000mAh battery to keep it going all day. What’s more, it’s powered by a Quad-core 1.2GHz processor paired with 1.5GB RAM and with 16GB of internal storage. Like the bigger model, you can expand the memory using a MicroSD card, but only up to an extra 32GB. Surprisingly, for a phone this small, it still manages to pack in a pair of stereo front facing speakers powered by JBL audio, just like the 5.5-inch model.

On the software side, it runs Android 5.0.2, what’s more, a security update to patch the Stagefright bug will be available to download OTA as soon as you power the device on.

Overall, it’s a promising device but it will be interesting to see how well it compares to Motorola’s latest Moto G. At the same price point, and similar-ish specs, these two devices are clear competitors.

Motorola confirms StageFright bug fix coming to 11 smartphone lines including new Moto X and Moto G

moto x style

Motorola has joined several other Android OEMs in confirming that it will be rolling out a StageFright software fix for many of its popular smartphone lines. As you’d expect, this includes the newly announced Moto X and Moto G handsets as well as a number of older devices.

The new devices will be patched from launch, while others may be subject to the usual carrier approval and testing. Carrier partners will receive the software and start testing on August 10th. In all, there are 200 variants of software to be patched, tested and released. So it could take time for you to get your fix.

The list of devices includes:

  • Moto X Style (patched from launch)
  • Moto X Play (patched from launch)
  • Moto X (1st Gen, 2nd Gen)
  • Moto X Pro
  • Moto Maxx/Turbo
  • Moto G (1st Gen, 2nd Gen, 3rd Gen)
  • Moto G with 4G LTE (1st Gen, 2nd Gen)
  • Moto E  (1st Gen, 2nd Gen)
  • Moto E  with 4G LTE (2nd Gen)
  • DROID Turbo
  • DROID Ultra/Mini/Maxx

As I’m sure you’re now aware, it recently came to light that Android had a serious, gaping hole left in its coding. Dubbed ‘Android’s worst vulnerability in Mobile OS history‘ StageFright would essentially allow anyone with the ability and motive to include malware in any video MMS message. It could potentially affect your phone before you even open or see the message. To be safe, be sure to read our guide on how you can protect yourself against it until your software fix arrives.

LG joins Google and Samsung in committing to monthly security updates following Stagefright discovery

Site default logo image

lg

The major Android manufacturers seem to at last be getting serious about security. Following the recent discovery of the Stagefright vulnerability, Google announced that it would commit to issuing monthly security updates to Nexus devices for at least three years. Samsung yesterday said that it too would do the same, though without stating how long it would continue to support older devices. LG has now joined in, reports Wired.

LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately.

Other manufacturers have also responded quickly to Stagefright, with HTC, Sony and Android One among the groups to be issuing patches … 
Expand
Expanding
Close

How to check & protect against the “worst Android vulnerability” ever, Stagefright

stagefright

When mobile security researchers recently discovered what they described as the “worst Android vulnerability in the mobile OS history,” there appeared little you could do about it beyond waiting for your carrier or manufacturer to push Google’s fix. The exploit could auto-run as soon as you received an MMS designed to trigger it, whether or not you opened the message.

The same researchers have now created an app that allows you to check whether or not your devices has been patched against Stagefright, together with a step you can take to prevent the exploit from running automatically … 
Expand
Expanding
Close

Nexus 6, Nexus 5, many Samsung devices getting Stagefright fixes from Sprint

The Stagefright exploit is definitely not a minor problem, and it potentially affects basically any device going back to the early years of Android. But thankfully, Sprint has been pretty on top of pushing out fixes for as many devices as possible. Today, the carrier is pushing out Stagefright fixes, labeled simply as “Google Security Patch (Stagefright),” to a couple Nexus handsets and several of Samsung’s Galaxy-branded phones.

Here’s the full list of devices receiving the patch today, with links to Sprint’s support pages:

As usual, you should expect to see these updates roll out over-the-air over the course of the next few days. “Software updates may be released in stages and can take several days for delivery,” Sprint says. If you want to manually check to see if the update is available for your device, head into the system Settings app. But while Stagefright is not “no big deal” by any means, you’ll probably be fine until your device is updated.