Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

What you need to know about Stagefright?


Let’s start with a temporary workaround to avoid becoming infected

  1. Open the Hangouts App

    Hangout App Settings
  2. Click the hamburger menu and select “settings”
  3. Select SMS
  4. Select Hangouts as your default SMS app
  5. Uncheck ‘Auto-retrieve MMS’

Now that we got that out of the way we can start talking about the Stagefright vulnerability itself.

What is Stagefright?

Stagefright is a new vulnerability which was found, reported and announced by Zimperium, an Israeli enterprise mobile security company. The vulnerability can infect a device by simply downloading an MMS message (which happens automatically in most cases). Once infected, the hacker has full control over the phone’s data.


The flaw was detected in Google’s open source media library code. The library’s name is Stagefright, hence the name of the vulnerability. The library Stagefright allows Android devices to convert media, including those from MMS messages.

More information about the Stagefright engine can be found here:

The Stagefright bug/vulnerability is based on multiple issues which were detected in the Android Stagefright library which can be found on almost all Android devices.

The list of bugs which created the vulnerabilities is:

  • CVE-2015-1538
  • CVE-2015-1539
  • CVE-2015-3824
  • CVE-2015-3826
  • CVE-2015-3827
  • CVE-2015-3828
  • CVE-2015-3829

At the time of this report, the CVE’s descriptions were still kept private.


Infecting the device is the real interesting point here. The Android device just needs to receive a MMS message. The user doesn’t have to open the message in order to get infected. Once the MMS has been received the device has been owned!

Any reason for me to care?


If you are an Android user there is 95% chance that you are vulnerable to the Stagefright vulnerability. Upon infection, complete access to the user’s phone data is available. That includes contact, camera, photos microphone. An infected device does not show any symptoms so you might stay completely in the dark while someone is snooping around your personal stuff.


What now?


First of all go back to the beginning of this post and follow the 5 simple steps!


Google has been notified about the vulnerability and the numerous bugs quite a while ago and after a couple of days introduced the fix to the software. That, however, does not mean we are safe. It means that all the different mobile-phone makers need to implement the fix in their versions of the Android OS and distribute a patch to their users. This may take some time, however most mobile phone companies have already stated that they are working on it while others have announced availability of a patch or have already addressed the issue a while ago when it was reported to Google.


The Checkmarx Angle


Checkmarx’s CxSAST for Mobile delivers unique code security analysis for Android, iOS and Windows applications. Checkmarx ensures and eliminates code vulnerabilities during the coding process rather than waiting for them to appear at a later stage. Mobile Developers are constantly introduced with new and complex security challenges. Application permissions, data input vectors, sensitive data storage, supporting multiple operating systems and providing frequent version releases, cross application communication and cross platform functionality increase the risk of introducing vulnerabilities during development.


Checkmarx’s CxSAST for Mobile (part of CxSAST) addresses these challenges and takes mobile static analysis to the next level.


It is clear by now that the Stagefright vulnerability was a result of one or more code vulnerabilities. It is also clear that these could have been detected at an earlier stage of the development and resolved at that stage. What is not yet clear is what the exact vulnerability is however that should become clear within the coming days after the full information about the CVEs reported are disclosed.

Jump to Category