Every Android device is vulnerable to newly discovered bugs

With two new "Stagefright" vulnerabilities discovered, almost every Android device ever released is vulnerable to malicious hackers. Fixing the bug isn't simple.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
3 min read
Stagefright Zimperium

Two major vulnerabilities have been discovered in Google's Android mobile software by the same security company that found a whole series of dangerous bugs earlier this year. Several of the bugs discovered by the security researchers pose a danger to every active Android device out there.

The two new bugs, which can expose people with Android-powered smartphones and tablets to attacks by malicious hackers, are the latest in a "library" of vulnerabilities that have come to be known as Stagefright. Zimperium zLabs initially discovered this class of vulnerabilities in April, but has now found the problem is broader than originally thought.

More than a billion Android smartphones and tablets are at risk of being compromised by the new bugs if their owners even just preview video or audio files that have been specially crafted to exploit the vulnerability, zLabs said. The first of the bugs has the potential to impact almost every Android device going back to version 1.0 of the software, which was released in 2008. The second bug can be used to target all devices running later versions of Google's software, Android 5.0 and up. Google next week plans to release Android 6.0, aka Marshmallow.

Security holes are a serious problem. Depending on the severity, they can let attackers run programs of their own choosing on a computing device, gain access to sensitive documents, monitor network traffic, listen to keyboard activity, turn on a webcam or turn a computing device into a tool that launches attacks on other devices.

Google, based in Mountain View, California, tries to set a good Android example with prompt security updates to its Nexus family of devices, including the just-announced Nexus 6P and Nexus 5X that will come with Marshmallow. But compared to Apple's competing iOS operating system, which powers its iPhones and iPads, the Android market is more vulnerable to security holes.

Watch this: Five Android shortcuts to make your life easier

That's because the vast majority of Android phones get software updates slowly, if ever. That's the case even with mainstream Android phone makers such as Samsung, Huawei, Sony and LG, each of which is responsible for software updates. However, some Android security problems are ameliorated by the fact that some Android components ship in a package called Google Play Services that Google itself updates.

Google told Motherboard it will issue a patch to Nexus users on October 5.

These particular Stagefright flaws would require hackers to trick Android users into opening a dodgy video or audio file within a website or third-party multimedia player. "The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue," zLabs said in its blog post.

zLabs informed Google of the latest Stagefright flaws on August 15 and has praised the company for responding promptly to the threat. A patch to fix the vulnerability will be released next week in an over-the-air update. Google pushes out these security updates to its flagship Nexus devices once a month.

Google said it shared details of the patch with Android device makers on September 10 in the hope that it can be pushed out to all Android users as soon as possible, according to Motherboard.

Google did not immediately respond to a request for comment.

The new Stagefright bugs likely aren't the last. In September, zLabs researcher Joshua Drake tweeted that he's reported 10 Stagefright vulnerabilities to Google.