Local telcos begin issuing Stagefright fixes, but majority of Android smartphones still vulnerable

Many of the 950 million Android smartphones thought to be affected by Stagefright are still considered vulnerable, two weeks after the exploit was discovered.

Stagefright is a vulnerability in the Android operating system's media library of the same name, and is deemed highly dangerous as hackers can take advantage of it without the need for user interaction. The vulnerability can be exploited with a specially coded MMS; in some circumstances, the message could even delete itself after infecting a user's phone.

While some local telcos have begun issuing fixes for handsets such as the HTC One M9, security updates for others could be over a month away at best. In the worst case scenario, some devices may never receive a fix due to the way in which Android updates are distributed says ethical hacker and director of security firm Whitehack Adrian Wood.

"The way Android handles updates like security updates is very different to Apple," Wood told CyberShack. "If an equivalent bug to Stagefright was found on iOS, Apple could just push an update to every iPhone and protect them within 48 hours of it being discovered. Android handles updates slightly differently. The Android source code goes out to manufacturers like Sony, Samsung and LG, and they make tweaks and play around with the code a bit and launch it out on a phone. So when a bug is found, Google can patch the Android source code and push it out to Samsung, but then Samsung has to make it work on their phones."

Smartphone users with cheaper Android handsets are at the greatest risk of never receiving a Stagefright fix according to Wood, as companies tend to end support for budget devices faster than for their premium models.

"If you're a person who's not buying the flagship model of a phone, you can be in a really tricky situation because the support period for Android's operating system is quite short, especially compared to Apple. You could not go to the store and buy a brand new iPhone that's out of the support period."

"The blanket solution is tricky, because if you're not in the financial position to buy an AUD$900 phone, it's likely the only thing you can do […] is disable MMSs and be careful when you open them."

Following Stagefright's discovery, Google, Motorola, LG and Samsung have all committed to releasing monthly security updates for their Android smartphones.

Lead Engineer for Android Security Adrian Ludwig said that security is one of Google's top priorities, and that monthly updates are yet another tool to "keep Android users safe".

"Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store," wrote Ludwig on the official Android Blog.

Samsung delivered a similar message on its official blog, saying that it has fast tracked updates for Galaxy devices.

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," said Samsung Executive Vice President Dong Jin Koh. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected."

While faster updates from major Android OEMs is a promising sign, Android software updates can face delays on the carrier end, who often test updates internally before deploying them to customers.

Telstra expects the first of the security updates to be available to consumers from today.

"We are working closely with device manufacturers, who are in the process of developing software patches to protect devices from the vulnerability," Telstra spokesperson told CyberShack. "We are already testing some of these updates, and we expect the first to be released to our customers from today. Customers will receive a notification on the availability of the update via the pull down notification menu on the device."

Telstra-bought models of the HTC One M9 and Nexus 5 should already have a fix available. The Samsung Galaxy S6 and Galaxy S6 Edge are both scheduled to receive updates on August 31, the LG G4 is scheduled to receive an update on September 7, and Sony's Xperia Z1 and Z1 Compact should receive an update on September 28.

Timing for other Telstra handsets has yet to be confirmed.

An Optus spokesperson told CyberShack that the company has been talking with handset manufacturers, and is awaiting a fix tailored for its network.

"Optus is aware of this issue. We have been in contact with Google and handset manufacturers," said the spokesperson. "We understand they are looking to roll out a software update as soon as possible."

A Vodafone spokesperson told CyberShack that it treats software updates as a priority.

"We continue to work closely with our device partners to provide over-the-air software updates to customers," said the spokesperson. "As soon as we receive a new software update for testing from a device partner, we put it into testing as a matter of priority so it can be pushed out to customers as soon as possible."

Zimperium, the company who discovered the Stagefright vulnerability, has released a Stagefright Detector App that lets users know if their phone is protected against the exploit. The app can be downloaded from the Google Play Store.

Users who have a vulnerable device can protect themselves by disabling automatic MMS retrieval in their message app of choice. This can be found under Advanced Settings in Google Messenger, and under SMS in Google Hangouts. Other messaging apps should all have similar settings. After applying these settings, users are advised against opening MMSs from unfamiliar numbers.

7:34pm 10/08/15 – Updated with a comment from Vodafone