Android Stagefright Flaw Zero-Day Vulnerability

Last Updated: 07/20/2016

Security Notice Level

SEVERE

Zimperium zLabs has disclosed a zero-day flaw in the Stagefright media playback engine that affects roughly 95% of Android devices. The flaw allows malware to be sent via the MMS application, and it requires no user interaction. This vulnerability may allow remote code execution and/or denial of service.      

Affected Software

Android versions 2.2 to 5.1

Solution

Until a vendor provided patch is issued from Google, disabling auto retrieve of SMS/MMS may partially mitigate this vulnerability, see link below [1].  According to Zimperium, Android devices older than 18 months are unlikely to receive an update at all.    

Security Bulletin Name

Zimperium - Experts Found a Unicorn in the Heart of Android
Twilio Blog - How to Protect Your Android Phone From the Stagefright Bug
VB - Researchers find vulnerability that affects 95% of Android devices
Threat Post - Android Stagefright Flaw put 950 million devices at risk

Additional Information

Additional information about this vulnerability can be viewed at:
http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html [1]
http://venturebeat.com/2015/07/27/researchers-find-vulnerability-that-affects-95-of-android-devices/
https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu.