Stagefright Patches Beginning To Appear On Nexus Handsets, Some Samsung Smartphones

Last week, a devastating Heartbleed-level Android vulnerability was revealed, which could allow malicious hackers to send malware to any Android user, without any action being required from the user.

Today, some phones, such as the Nexus 5, Nexus 6, Galaxy S5, Galaxy S6, Galaxy S6 Edge and the Galaxy Note Edge will receive a patch for this vulnerability, but many more phones remain open to this attack. For now, the Samsung devices are only receiving this update on Sprint. The same devices on other carriers will continue to remain vulnerable until they also send the patches in an OTA update. Sprint was also the one to announce the update for the Nexus devices, but the update will likely be available for all Nexus 5 and Nexus 6 models.

The malware can be sent through apps that allow the automatic retrieval of MMS messages, which can include just about any instant messaging application these days that has SMS and MMS integration -- even Google's own Hangouts.

Part of the solution seems to be to disable the automatic retrieval of MMS messages from all of these apps, but considering that the Zimperium researchers who found out about the Stagefright vulnerabilities haven't yet revealed all the information about it, it's not clear just how well that would work.

Ultimately, users can't be expected to remember to disable the automatic retrieval of MMS messages from all of their IMs, so the smartphone vendors will have to patch all the affected systems (which includes all of the existing versions of Android on the market, from Android 2.2 to Android 5.1.1).

Google released a patch for only the Nexus 5 and Nexus 6 today, and so far only Sprint has released the patch for the Galaxy Note Edge, Galaxy S5, Galaxy S6 and S6 Edge. All of these constitute a tiny percentage of the Android smartphone market, so much more needs to be done from all Android OEMs.

The Zimperium researchers are expected to discuss how the vulnerability works this week at the Black Hat conference. This should only put more pressure on OEMs to patch their devices before malicious hackers learn how to send malware to their users' devices by exploiting the vulnerabilities in Android's Stagefright media library.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • alesloan
    I'm in Switzerland and I have a retail Galaxy S6 (purchased in a regular shop, not through a carrier). I've received the update today.