February 15, 2017
6

The Stagefright security flaw, said to have put a billion Android devices at risk when it was discovered in 2015, probably hasn’t infected a single smartphone. Adrian Ludwig, director of Android security at Google, says there have been no “confirmed” cases of infections caused by the bug, according to a report from The Register.

Stagefright made it possible for attackers to infect a device with malicious code through MMS and MP3 previews. The hackers could then grant themselves permissions on the device to take control of it.

Google, naturally, has a reason to play down the presence of security flaws on the Android system, just as antivirus software developers have a reason to inflate it. That said, Stagefright and similar security exploits generally rely on specific circumstances to be effective — and most Android security threats are simpler in nature.

“We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps,” said Ludwig.

See also:

Google launches new security-focused page for Android developers

January 23, 2017

Ludwig stated that Android’s Verify Apps system was the basis for the no confirmed infections claim but I should point out that Verify Apps excludes devices which don’t make use of Google Play Services, like the Android phones sold in China or Amazon’s Android products.

Ludwig also discussed other Android exploits that have grabbed headlines over the years. The MasterKey vulnerability from 2013 put 99 percent of Android devices at risk but infected less than eight phones in every million. Meanwhile, the FakeID flaw from 2014 could have affected 82 percent of Android users but affected about one in a million (and only after details of it were released).

With such low rates of infection, it makes you question whether such security flaws are ever worth worrying about? Even if these threats had the potential to infect 100 percent of Android phones, instead of 99 percent, the chances of accidentally destroying your phone or having it stolen would likely remain far greater.

Are you surprised to learn that Stagefright hasn’t caused any damage? Let us know in the comments.

Scott Adam Gordon
Scott Adam Gordon is a European correspondent for Android Authority. Originally from the UK, Scott has been tinkering with Android phones since 2011 and writing about them full-time since 2014. He now lives in Berlin with three roommates he never sees. Befriend him on Twitter and Google+ at the links.
Show 6 comments